#VU21880 Improper Authentication in ManageEngine Applications Manager and Zoho ManageEngine OpManager
Vulnerability identifier: #VU21880
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
ManageEngine Applications Manager
Server applications /
Remote management servers, RDP, SSH
Zoho ManageEngine OpManager
Client/Desktop applications /
Other client software
Vendor: Zoho Corporation
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper implementation of authentication process that relies on username+'@opm' string to be used as password within the Application Manager Plugin used in ManageEngine OpManager and Applications Manager. A remote attacker can bypass authentication process and execute arbitrary commands on the system with privileges of the user account.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
ManageEngine Applications Manager : 11.0 11010 - 14.3 14300
Zoho ManageEngine OpManager: 12.4 124000 - 12.4 124069, 12.3 12300 - 12.3.123240
External links
http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
http://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html
http://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
