A remote code execution vulnerability (CVE-2022-47966) impacting a number of Zoho ManageEngine on-premise products with SAML SSO enabled has been actively exploited, according to Rapid7.
Background
Deepwatch has also noticed activities that might point to exploitation attempts. A cybercriminal can take advantage of a SAML-enabled organization’s vulnerability by sending a specially prepared SAML response that enables remote code execution. A proof-of-concept exploit code released by Horizon3 will most likely be modified by threat actors and used by them to attempt manual and automated scanning and exploitation in order to acquire initial access to targeted victims.
A security advisory for CVE-2022-47966, which was found by Khoadha of Viettel Cyber Security and affected a number of products, was published by ManageEngine on January 10, 2023. An HTTP POST request containing a fraudulent SAML answer can be used by an attacker to acquire remote code execution. Due to the use of an obsolete version of Apache Santuario for XML signature validation, this vulnerability exists.
CVE-2022-47966 Analysis
A researcher at Viettel Cyber Security discovered CVE-2022-47966, an unauthenticated remote code execution flaw, in twenty ManageEngine products, including Access Manager Plus, ADSelfService Plus, Endpoint DLP, Password Manager Pro, PAM360, ServiceDesk Plus, and others.
An obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.
By updating the third-party module to the most recent version, this problem has been resolved, according to ManageEngine. In October and November 2022, the company produced repaired versions of each product, and ideally, the majority of businesses have already upgraded their installations.
Timeline
The vulnerability, CVE-2022-47966, was discovered on December 26. Its description reads, “Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to the use of Apache xmlsec (aka XML Security for Java) 1.4.1 because the ManageEngine applications did not provide those protections.”
The vulnerability was described as a “pre-authentication remote code execution vulnerability” in the “ManageEngine CVE-2022-47966 IOCs” blog post by Horizon3 that was published in mid-January. If SAML single-sign-on is enabled or has ever been enabled, this vulnerability may be exploited depending on the individual ManageEngine product.
Since SAML is now active, more than 1,000 ManageEngine products are probably exposed to the internet, according to Horizon3’s initial blog post about the issue. There are 8,360 exposed instances of the ServiceDesk Plus and Endpoint Central products, 854 of which now support SAML, according to Horizon3’s scan of Shodan. Horizon3 bases its assumption on this 10% or so of all ManageEngine products that are accessible through the internet have SAML enabled. Additionally, Horizon3 makes the assumption that SAML-using firms tend to be bigger and more established, making them more likely to be valuable targets for threat actors.
Impact
The Horizon3 PoC exploit code will probably be modified by threat actors, who will then utilize it to attempt manual and automated scanning and exploitation in order to get initial access to victims. Organizations with internet-exposed susceptible ManageEngine on-premise products that have SAML enabled (or ever had it enabled) are very likely to be attacked due to the low number of exposed systems and the likely use of human and automated exploitation attempts.
The deployment of malware families like Cobalt Strike, cryptominers, and others has been caused by the active exploitation of software vulnerabilities, which has resulted in data exfiltration and encryption for extortion. Although security teams make an attempt to patch and secure systems, it is difficult to prevent or effectively remediate these types of incidents due to the speed and intelligence of threat actors.
Affected Products
| Product |
Affected Versions |
Fixed Versions |
| Only vulnerable if SAML-based SSO has been set up and is in use by your company. |
| Access Manager Plus |
4307 and below |
4308 |
| Analytics Plus |
5140 and below |
5150 |
| Application Control Plus |
10.1.2220.17 and below |
10.1.2220.18 |
| Browser Security Plus |
11.1.2238.5 and below |
11.1.2238.6 |
| Device Control Plus |
10.1.2220.17 and below |
10.1.2220.18 |
| Endpoint Central |
10.1.2228.10 and below |
10.1.2228.11 |
| Endpoint Central MSP |
10.1.2228.10 and below |
10.1.2228.11 |
| Endpoint DLP |
10.1.2137.5 and below |
10.1.2137.6 |
| Key Manager Plus |
6400 and below |
6401 |
| OS Deployer |
1.1.2243.0 and below |
1.1.2243.1 |
| PAM 360 |
5712 and below |
5713 |
| Password Manager Pro |
12123 and below |
12124 |
| Patch Manager Plus |
10.1.2220.17 and below |
10.1.2220.18 |
| Remote Access Plus |
10.1.2228.10 and below |
10.1.2228.11 |
| Remote Monitoring and Management (RMM) |
10.1.40 and below |
10.1.41 |
| Vulnerability Manager Plus |
10.1.2220.17 and below |
10.1.2220.18 |
Recommendations
- Beginning in late October 2022, Zoho patched the insecure ManageEngine products by updating the outdated dependency. Patching vulnerable products is strongly advised in order to stop attacks.
- Exploitable services are exposed by assets on the open internet. Where these services must be made available, make sure that the proper compensatory restrictions are in place to stop common abuse and exploitation.
- Examine systems for signs of exploitation.
