Critical Zoho Zero-Day Flaw Disclosed


UPDATE A zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability. As of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>). The vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) “This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,” according to Seeley. According to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data. Seeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them “full control of the target machine… basically the worst it gets.” > Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy! > > Advisory: <https://t.co/U9LZPp4l5o> Exploit: <https://t.co/LtR75bhooy> > > — ϻг_ϻε (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>) According to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online. Rick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an “open season” on a target company’s environment. “An attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users’ machines,” Holland told Threatpost. “Given that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.” Threatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, “we have identified the issue and are working on a patch with top priority. We will update once it is done.” > We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG > > — Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>) Seeley told Threatpost that he didn’t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. “I have in the past for other critical vulnerabilities and they ignored me,” he said. This lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors. “There seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.” Tim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations. “Allegedly, Zoho’s reputation for ignoring security researchers who’ve found exploitable bugs in their products factored into the decision for a direct release,” he said. “While the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.” Researchers previously found multiple critical flaws in 2018 in Zoho’s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine’s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines. _This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._ **_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [“5G, the Olympics and Next-Gen Security Challenges,”](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**