DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:2819C02936EF8F6F36ACF4F04F4B71DB", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Yanks Buggy Windows Server Updates", "description": "Microsoft has yanked the Windows Server updates it issued on Patch Tuesday after admins found that the updates had critical bugs that break three things: They trigger spontaneous boot loops on Windows servers that act as domain controllers, break Hyper-V and render ReFS volume systems unavailable.\n\nThe shattering of Windows was first reported by [BornCity](<https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/>) on Tuesday, as in, on the same day that Microsoft released a mega-dump of 97 security updates in its [January 2022 Patch Tuesday](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>) update.\n\nThis month\u2019s batch included the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update and the Windows Server 2022 KB5009555 update, all of which are apparently buggy.\n\n\u201cAdministrators of Windows Domain Controllers should be careful about installing the January 2022 security updates,\u201d reported [BornCity](<https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/>), which is a blog about information technology run by German freelance writer and physics engineer G\u00fcnter Born.\n\n\u201cI have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards,\u201d Born wrote. \u201cLsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.\u201d\n\nDomain controllers are servers that handle security authentication requests within a Windows domain. Microsoft\u2019s Hyper-V, the other chunk of Windows being broken by the Windows Server updates, is a native hypervisor that can create virtual machines on x86-64 systems running Windows.\n\nThe third thing that\u2019s shattering due to the updates, Resilient File System (ReFS), is a file system that\u2019s designed to maximize data availability, scale efficiently to large data sets across diverse workloads and provide data integrity with resiliency to corruption, as Microsoft [describes](<https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview>) it.\n\nBorn cited numerous reports from users who\u2019ve concluded that the issue affects all supported Windows Server versions.\n\nMultiple Reddit users confirmed the problems. [One commenter](<https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/>) said that it \u201cLooks like KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes.\u201d\n\nAnother Reddit contributor [said](<https://www.reddit.com/r/sysadmin/comments/s1oqv8/kb5009543_january_11_2022_breaks_l2tp_vpn/>) on Tuesday that they had just rebooted Win10 laptops that had the installed KB5009543 &amp; KB5008876 updates and found that they\u2019re also breaking L2TP VPN connections.\n\n\u201cNow their L2TP VPNs to different sites (All SonicWalls) are not working,\u201d the Redditor said, citing an error message that read: \u201cThe L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.\u201d\n\nOn Thursday, following the server update brouhaha, BleepingComputer [reported](<https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-new-windows-server-updates-due-to-critical-bugs/>) that Microsoft has pulled the January Windows Server cumulative updates, which are reportedly no longer accessible via Windows Update. As of Thursday afternoon, however, the company reportedly hadn\u2019t pulled the Windows 10 and Windows 11 cumulative updates that were breaking L2TP VPN connections.\n\n011422 08:48 UPDATE: Microsoft confirmed that it\u2019s aware of the reports and is investigating. A spokesperson pointed users to the company\u2019s customer guidance page for any known issues: [Windows release health | Microsoft Docs](<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2F&data=04%7C01%7Cmmaclachlan%40we-worldwide.com%7Ca95e18bba6204baad99208d9d6f38898%7C3ed60ab455674971a5341a5f0f7cc7f5%7C0%7C0%7C637777163738633134%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cwm6AQvP2A1g8dItDwBH4zoS9ETJWW7WoXE6SA4R6pE%3D&reserved=0>).\n\n## When Patches Bite Back\n\nHow do you convince organizations to patch promptly when patches sometimes don\u2019t work \u2013 or, worse, when they cause outages on critical infrastructure such as directory controllers?\n\nIt\u2019s clearly a problem from a security perspective, experts say. \u201cThe [log4j](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) difficulties of the past few weeks demonstrate that \u2026 we need organizations to apply security patches when they are available,\u201d said John Bambenek, principal threat hunter at Netenrich.\n\nWhen patches don\u2019t work, or worse, when they break things, it \u201cprovides the counter incentive to patching where organizations take a risk-averse approach to applying updates,\u201d he told Threatpost on Thursday. \u201cDowntime is easily measurable\u2026the incremental risk of a security breach is not, which means cautious (instead of proactive) actions to patching will tend to win out.\u201d\n\nIt\u2019s a painful tradeoff to make between keeping your operations going by using systems with known vulnerabilities versus keeping those systems fully secure but with added administrative effort, noted Bud Broomhead, CEO at Viakoo. \u201cOrganizations make these tradeoffs every day with IoT devices that fail to get patched quickly (or ever); however, it\u2019s uncommon to see this with Windows Server, because there are such effective mechanisms through Windows Update to deliver and install patches quickly.\u201d\n\nBroomhead suggested that despite the testing Microsoft goes through in releasing an update, one best practice is to always install a new patch on a single machine before deploying more broadly. \u201cThis can help Windows Server administrators to assess their specific issues, and their tolerance for running under those conditions until a more stable patch is available,\u201d he told Threatpost.\n\nThat\u2019s actually closer to the reality, noted Roy Horev, co-founder and CTO at Vulcan Cyber. \u201cFirst, very rarely are patches ever directly applied straight from Microsoft, or any vendor, on Tuesday, or any other day, without first going through a series of tests to make sure they aren\u2019t breaking things,\u201d he pointed out.\n\nEven so, it\u2019s tough to implement vendor patches and updates without breaking things, he told Threatpost via email \u2013 even if those patches are delivered straight from Redmond. \u201cThe eternal compromise between secure and/or stable production environments doesn\u2019t rest just because the updates are coming from Microsoft,\u201d Horev commented.\n\n**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the _new_ password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register &amp; Stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software.\n", "published": "2022-01-13T23:08:53", "modified": "2022-01-13T23:08:53", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/", "reporter": "Lisa Vaas", "references": ["https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/", "https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/", "https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/", "https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview", "https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/", "https://www.reddit.com/r/sysadmin/comments/s1oqv8/kb5009543_january_11_2022_breaks_l2tp_vpn/", "https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-new-windows-server-updates-due-to-critical-bugs/", "https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2F&data=04%7C01%7Cmmaclachlan%40we-worldwide.com%7Ca95e18bba6204baad99208d9d6f38898%7C3ed60ab455674971a5341a5f0f7cc7f5%7C0%7C0%7C637777163738633134%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cwm6AQvP2A1g8dItDwBH4zoS9ETJWW7WoXE6SA4R6pE%3D&reserved=0", "https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/"], "cvelist": ["CVE-2021-44757"], "immutableFields": [], "lastseen": "2022-01-18T16:18:10", "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "cisa", "idList": ["CISA:5AF9A0A9C471BAA02A04E99AE31ED456"]}, {"type": "cnvd", "idList": ["CNVD-2022-06894"]}, {"type": "cve", "idList": ["CVE-2021-44757"]}, {"type": "hivepro", "idList": ["HIVEPRO:EBE89D6C841CF2A41508860258C415CD"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_9.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2021-44757.NBIN"]}, {"type": "thn", "idList": ["THN:A29E47C7A7467A109B420FF0819814EE"]}, {"type": "threatpost", "idList": ["THREATPOST:0461DD3D883C3FB99943B312BF96E57D", "THREATPOST:31B21CE688CDF18D92BF7799CEAFD33F", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F"]}]}, "score": {"value": -0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cisa", "idList": ["CISA:5AF9A0A9C471BAA02A04E99AE31ED456"]}, {"type": "cve", "idList": ["CVE-2021-44757"]}, {"type": "hivepro", "idList": ["HIVEPRO:EBE89D6C841CF2A41508860258C415CD"]}, {"type": "mskb", "idList": ["KB5009543", "KB5009555", "KB5009557", "KB5009624"]}, {"type": "nessus", "idList": ["MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_9.NASL"]}, {"type": "thn", "idList": ["THN:A29E47C7A7467A109B420FF0819814EE"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-44757", "epss": "0.001540000", "percentile": "0.499730000", "modified": "2023-03-18"}], "vulnersScore": -0.6}, "_state": {"dependencies": 1678920471, "score": 1684013037, "epss": 1679176287}, "_internal": {"score_hash": "263073303fc22ceae95d72d6973ee13b"}}

{"threatpost": [{"lastseen": "2022-01-18T16:17:40", "description": "Researchers have discovered three [WordPress plug-ins](<https://threatpost.com/wordpress-plugin-bug-wipe-sites/175826/>) with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.\n\nOn Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in \u201c[Login/Signup Popup](<https://wordpress.org/plugins/easy-login-woocommerce>),\u201d a [WordPress plug-in](<https://threatpost.com/frontend-file-manager-wordpress-bugs/167687/>) installed on more than 20,000 sites, Wordfence\u2019s Chloe Chamberland wrote [in a post](<https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/?utm_medium=email&_hsmi=200773868&_hsenc=p2ANqtz-8wONqcLAiQD8o__3dsSDSjuLwHX4hhqMgH_Vvhs-LcUGTU2JWYOvVeflfGHs_Uz1VP67vtVIWObFp9507lPzgx4OjFww&utm_content=200773868&utm_source=hs_email>) published online Thursday.\n\nHowever, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of [XootiX.](<https://xootix.com/>) They are \u201c[Side Cart Woocommerce (Ajax)](<https://wordpress.org/plugins/side-cart-woocommerce/>),\u201d which has been installed on more than 60,000 sites, and \u201c[Waitlist Woocommerce (Back in stock notifier)](<https://wordpress.org/plugins/waitlist-woocommerce/>),\u201d which has been installed on more than 4,000.\n\nLogin/Signup Popup is a \u201csimple and lightweight\u201d plug-in aimed at streamlining a site\u2019s registration, login and password reset processes, according to its description online. Side Cart Woocommerce \u2013 designed to work with the Woocommerce plugin for creating an e-commerce store \u2013 allows a site\u2019s users to access items they\u2019ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce \u2013 also to be used with Woocommerce \u2013 adds the functionality of tracking demand for out-of-stock items to an e-commerce site.\n\nAs of now, all of the plug-ins have been updated and the flaw patched, according to the post. On Nov. 24, the developer released a patched version of Login/Signup Popup as version 2.3. Later, on Dec. 17, a patched version of Waitlist Woocommerce, version 2.5.2, was released; and a patched version of Side Cart Woocommerce, version 2.1, was released.\n\nStill, the discovery of the bug\u2019s multiple occurrences reflects an ongoing issue with WordPress plug-ins being riddled with flaws. Indeed, vulnerabilities in the plug-ins [skyrocketed](<https://www.riskbasedsecurity.com/2022/1/11/wordpress-vulnerabilities-more-than-doubled-in-2021/>) with triple-digit growth in 2021, according to RiskBased Security.\n\n## **How the Flaw Works**\n\nThe vulnerability found by the Wordfence team is fairly straightforward, Chamberland wrote. All three plug-ins register the save_settings function, which is initiated via a wp_ajax action, they said.\n\nIn each of the plug-ins, \u201cthis function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request,\u201d according to the post.\n\nWhat this sets up is a scenario in which an attacker can craft a request that would trigger the AJAX action and execute the function, Chamberland wrote. However, action from the site\u2019s administrator \u2013 \u201clike clicking on a link or browsing to a certain website while the administrator was authenticated to the target site\u201d \u2013 is needed to fully exploit the flaw, she said.\n\nIn these cases, \u201cthe request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website,\u201d she explained in the post.\n\nExploiting Arbitrary Options Update vulnerabilities in this way is something threat actors \u201cfrequently abuse,\u201d allowing them to update any option on a WordPress website and to ultimately take it over, Chambers noted.\n\nThis latter privilege occurs if an attacker sets \u201cthe user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator,\u201d she explained.\n\n## **Risks and Mitigations**\n\nThough the fact that the flaws found in the plug-ins require administrator action makes them \u201cless likely to be exploited,\u201d they can have \u201csignificant impact\u201d if they are exploited, Chamberland said.\n\n\u201cAs such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plug-ins and themes up to date,\u201d she advised.\n\nRecommended actions for WordPress users who use the plug-ins are to verify that their site has been updated to the latest patched version available for each of them. That would be version 2.3 for \u201cLogin/Signup Popup\u201d, version 2.5.2 for \u201cWaitlist Woocommerce (Back in stock notifier )\u201d, and version 2.1 for \u201cSide Cart Woocommerce (Ajax),\u201d according to the post.\n\nAll Wordfence users are protected against the vulnerability, according to the post. Wordfence Premium users received a firewall rule to protect against any exploits targeting them on Nov. 5, and sites still using the free version of Wordfence received the same protection on Dec. 5.\n\n**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the _new_ password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register &amp; Stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software.\n", "cvss3": {}, "published": "2022-01-14T14:07:36", "type": "threatpost", "title": "Three Plugins with Same Bug Put 84K WordPress Sites at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-14T14:07:36", "id": "THREATPOST:31B21CE688CDF18D92BF7799CEAFD33F", "href": "https://threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-18T16:19:04", "description": "At the request of U.S. authorities. Russia\u2019s Federal Security Service (FSB) has swooped in to \u201cliquidate\u201d the REvil ransomware gang, it said on Friday.\n\nAccording to [local reports](<https://www.rbc.ru/politics/14/01/2022/61e171599a79479dde32112e?from=from_main_1>), the country\u2019s main security agency raided 25 locations in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing assets worth more than $5.6 million (426 million rubles) in various forms, including $600,000; \u20ac500,000; various cryptocurrency amounts; and 20 luxury vehicles.\n\nThe FSB said that a total of 14 alleged cybercriminals were also caught up in the raid and have been charged with \u201cillegal circulation of means of payment.\u201d The security service also said that it \u201cneutralized\u201d the gang\u2019s infrastructure.\n\nThe impetus for the attack was reportedly a formal request for action from U.S. authorities, \u201creporting about the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,\u201d according to an FSB media statement.\n\nIt added, \u201cAs a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation.\u201d\n\nThe move comes two weeks after a [high-stakes phone call](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/30/statement-by-press-secretary-jen-psaki-on-president-bidens-phone-call-with-president-vladimir-putin-of-russia/>) between Russian President Vladimir Putin and U.S. President Joe Biden, who has been calling for action against Russia-dwelling ransomware gangs for months.\n\nREvil (aka Sodinokibi) once rose to dominance as a major fixture in the ransomware extortion racket \u2013 locking up big-fish target networks ([like JBS Foods](<https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/>)) and extracting millions in ransom payments. It made headlines last year with the [sprawling zero-day supply-chain attacks](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) on Kaseya\u2019s customers; and [was linked to](<https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/>) the infamous Colonial Pipeline cyberattack. All of that sparked an official shout-out from Biden in the summer, with a demand that Putin shut down ransomware groups nesting in his country.\n\nShortly after that, in July, REvil\u2019s servers [mysteriously went dark](<https://threatpost.com/ransomware-revil-sites-disappears/167745/>) and stayed that way for two months. But by late summer, the group [was reborn](<https://threatpost.com/revil-back-coder-decryptor-key/169403/>) as a ransomware-as-a-service (RaaS) player, though by all accounts it was operating at a fraction of its former power and missing key personnel. Its main coder, UNKN (aka Unknown), for instance, reportedly left the group. It also got into trouble in the cyber-underground for cutting its RaaS affiliates [out of their fair share](<https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/>) of ransom payments.\n\nChris Morgan, senior cyber-threat intelligence analyst at Digital Shadows, noted that FSB\u2019s actions sparked some chatter on the cyber-underground about REvil falling prey to political machinations.\n\n\u201cIt\u2019s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine\u2019s border,\u201d he said. \u201cChatter on Russian cybercriminal forums identified this sentiment.\u201d\n\nHe said that one user suggested that REvil members are \u201cpawns in a big political game,\u201d while another user suggested that Russia made the arrests \u201con purpose\u201d so that the United States would \u201ccalm down.\u201d\n\n## **REvil Takedown: Will it Matter?**\n\nThe reported takedown may have defanged a brand-name ransomware operator, but REvil is far from what it used to be, and other groups continue to strike with impunity. LockBit 2.0, [for instance](<https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/>), has been flourishing, as evidenced by Herjavec Group\u2019s LockBit 2.0 profile and its long list of LockBit 2.0\u2019s victims.\n\nRansomware opportunities are growing in availability, too; Group-IB [recently found](<https://threatpost.com/double-extortion-ransomware-data-leaks/176723/>) that 21 new RaaS affiliate programs sprang up over the past year, and the number of new double-extortion leak sites more than doubled to 28, the report said.\n\nIn other words, this action may be simply a tiny win in the much larger battle against ransomware. But REvil has become an important symbolic target in the fight \u2013 not least for its potential ties to Colonial Pipeline \u2013 and has been increasingly in government crosshairs worldwide.\n\nIn October, a [multi-country undercover effort](<https://threatpost.com/revil-servers-offline-governments/175675/>) led to REvil\u2019s servers being temporarily taken offline. In November, Europol [announced the arrest](<https://threatpost.com/revil-affiliates-arrested-doj-europol/176087/>) of a total of seven suspected REvil/GandCrab ransomware affiliates \u2013 including a Ukrainian national charged by the United States with ransomware assaults that include the Kaseya attacks. Other countries have also snagged affiliates (random cyberattackers who rent REvil\u2019s infrastructure), which doesn\u2019t affect the main gang; but in October, Germany identified an alleged core REvil operator, hiding in Russia and far from the reach of extradition.\n\nRussia, for its part, may gain some kudos for this week\u2019s action, though researchers have long noted that the country has become a safe haven for ransomware masterminds, who avoid attacking Russian targets in exchange.\n\n\u201cIn Russia, they literally have no fear of being arrested,\u201d Jon DiMaggio, threat group researcher and chief security strategist at Analyst1, recently said, discussing the cyber-underground\u2019s collective shrug at the November news that REvil affiliates were being busted. \u201cThey make comments like, \u2018protect the motherland, the motherland protects you\u2019\u2026They put Russian flag icons on their messages.\u201d\n\nCould that be changing? Only time will tell, researchers said.\n\n\u201cRussia acting on any cybercrime report, especially ransomware, is especially rare,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost. \u201cUnless it involves child exploitation or Chechens, cooperation with the FSB just doesn\u2019t happen. It is doubtful that this represents a major change in Russia\u2019s stance to criminal activity within their borders (unless they target Russian citizens) and more that their diplomatic position is untenable and they needed to sacrifice a few expendables to stall more serious geopolitical pressure.\u201d\n\nHe added, \u201cIf this time in three months there isn\u2019t another major arrest, it\u2019s safe to assume no real change has happened with Russia\u2019s approach.\u201d\n\n\u201cIt\u2019s possible that the FSB raided REvil knowing that the group were high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape,\u201d Digital Shadows\u2019 Morgan added.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {}, "published": "2022-01-14T14:45:35", "type": "threatpost", "title": "Russian Security Takes Down REvil Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-14T14:45:35", "id": "THREATPOST:0461DD3D883C3FB99943B312BF96E57D", "href": "https://threatpost.com/russian-security-revil-ransomware/177660/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-18T16:16:07", "description": "A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.\n\nThe bug (CVE-2021-44757) could allow a remote user to \u201cperform unauthorized actions in the server,\u201d according to the company\u2019s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). \u201cIf exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.\u201d\n\nZoho\u2019s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company\u2019s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.\n\nOn the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.\n\nAs such, the platform offers far-reaching access into the guts of an organization\u2019s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.\n\nIn the case of the MSP version \u2013 which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers \u2013 the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP\u2019s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.\n\nZoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.\n\n## **Zoho ManageEngine: Popular for Zero-Day Attacks**\n\nThe company didn\u2019t say whether the bug has been under attack as a zero-day vulnerability, but it\u2019s a good bet that cyberattackers will start targeting it for exploit if they haven\u2019t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.\n\nThis played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nIn December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges \u2013 with an ultimate goal of dropping malware onto organizations\u2019 networks.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-18T15:44:21", "type": "threatpost", "title": "Critical ManageEngine Desktop Server Bug Opens Orgs to Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T15:44:21", "id": "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "href": "https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-25T11:31:01", "description": "Zoho has released a security advisory to address an authentication bypass vulnerability (CVE-2021-44757) in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review the [Zoho Vulnerability Notification](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) and the Zoho [ManageEngine Desktop Central](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) and [ManageEngine Desktop Central MSP](<https://www.manageengine.com/desktop-management-msp/cve-2021-44757.html>) security advisories and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/19/zoho-releases-security-advisory-manageengine-desktop-central-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-19T00:00:00", "type": "cisa", "title": "Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-19T00:00:00", "id": "CISA:5AF9A0A9C471BAA02A04E99AE31ED456", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/19/zoho-releases-security-advisory-manageengine-desktop-central-and", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2023-05-23T15:50:15", "description": "Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-18T10:15:00", "type": "cve", "title": "CVE-2021-44757", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-44757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44757", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}], "hivepro": [{"lastseen": "2022-01-24T21:31:26", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here. Zoho has patched a critical vulnerability (CVE-2021-44757) in Desktop Central and Desktop Central MSP which are unified endpoint management (UEM) solutions. A security vulnerability exists in the Desktop Central and Desktop Central MSP that allows a remote user to bypass the authentication mechanism. Successful exploitation of this issue may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. Similar Zoho ManageEngine vulnerability were primarily targeted by many APT groups in the year 2021. Around 2,800 ManageEngine Desktop central instances were found to be exposed in a Shodan search. Hive Pro researcher strongly recommends that affected customers upgrade to a fixed version before any exploitation occur. Vulnerability Details Patch Link https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022 References https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html https://securityaffairs.co/wordpress/126821/hacking/wordpress-plugins-flaws-2.html?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=wordpress-plugins-flaws-2 https://www.bleepingcomputer.com/news/security/zoho-plugs-another-critical-security-hole-in-desktop-central/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-19T13:49:50", "type": "hivepro", "title": "Zoho ManageEngine Desktop Central affected by critical vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-19T13:49:50", "id": "HIVEPRO:EBE89D6C841CF2A41508860258C415CD", "href": "https://www.hivepro.com/zoho-manageengine-desktop-central-affected-by-critical-vulnerability/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-11-04T14:31:36", "description": "ZOHO ManageEngine Desktop Central (DC) is a desktop management solution from ZOHO, Inc. The solution includes software distribution, patch management, system configuration, remote control and other functional modules to support the entire lifecycle of desktop and server management. .", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-18T00:00:00", "type": "cnvd", "title": "ZOHO ManageEngine Desktop Central Licensing Issue Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-26T00:00:00", "id": "CNVD-2022-06894", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-06894", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-18T14:39:58", "description": "The ManageEngine Desktop Central application running on the remote host is affected by an authentication bypass vulnerability which allows an adversary to bypass authentication and read unauthorized data or write an arbitrary zip file on the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-01-18T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (CVE-2021-44757)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_9.NASL", "href": "https://www.tenable.com/plugins/nessus/156790", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156790);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-44757\");\n script_xref(name:\"IAVA\", value:\"2022-A-0040\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0003\");\n\n script_name(english:\"ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (CVE-2021-44757)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote host is affected by an authentication bypass\nvulnerability which allows an adversary to bypass authentication and read unauthorized data or write an arbitrary zip\nfile on the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?851289b8\");\n # https://www.manageengine.com/products/desktop-central/cve-2021-44757.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0266c4d4\");\n script_set_attribute(attribute:\"solution\", value:\n\"See vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44757\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_installed.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'ManageEngine Desktop Central', win_local:TRUE);\n\nvar constraints = [\n {'fixed_version':'10.1.2137.9'},\n {'min_version':'10.1.2140', 'fixed_version':'10.1.2150', 'fixed_display':'See vendor advisory'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-18T15:56:17", "description": "The ManageEngine Desktop Central application running on the remote is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this to read sensitive information or upload an arbitrary ZIP archive to the server.", "cvss3": {}, "published": "2022-03-24T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (uncredentialed check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2021-44757.NBIN", "href": "https://www.tenable.com/plugins/nessus/159203", "sourceData": "Binary data manageengine_desktop_central_cve-2021-44757.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-08-16T08:12:12", "description": "Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-18T10:15:00", "type": "prion", "title": "CVE-2021-44757", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-07-12T17:42:00", "id": "PRION:CVE-2021-44757", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-44757", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:37:42", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK>)\n\nEnterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers.\n\nTracked as [CVE-2021-44757](<https://nvd.nist.gov/vuln/detail/CVE-2021-44757>), the shortcoming concerns an instance of authentication bypass that \"may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,\" the company [noted](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) in an advisory.\n\nOsword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9.\n\nWith the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months \u2014\n\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus\n * [CVE-2021-44077](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) \u2013 Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and\n * [CVE-2021-44515](<https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central\n\nIn light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it's recommended that users apply the updates as soon as possible to mitigate any potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T05:13:00", "type": "thn", "title": "Zoho Releases Patch for Critical Flaw Affecting ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T10:03:19", "id": "THN:A29E47C7A7467A109B420FF0819814EE", "href": "https://thehackernews.com/2022/01/zoho-releases-patch-for-critical-flaw.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}