Zoho’s comprehensive endpoint-management platform has an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.
A critical security vulnerability in the Zoho ManageEngine Desktop Central & Desktop Central MSP platforms could allow authentication bypass, the company warned.
The bug (CVE-2021-44757) could allow a remote user to “perform unauthorised actions in the server,” according to the company’s Mon. security advisory. “If exploited, this vulnerability may allow an attacker to read unauthorised data or write an arbitrary .ZIP file on the server.”
UEM Solution
Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones & tablets from a central location.
Users can automate routines like installing patches, deploying software, imaging & deploying OS, according to the company’s documentation.
It can also be used to manage assets & software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, etc.
Regarding mobile technology, users can deploy profiles & policies; configure devices for Wi-Fi, VPNs, email accounts & so on; apply restrictions on application installs, camera usage & the browser; & manage security with passcodes & remote lock/wipe functionality.
Nightmare
Thus, the platform offers far-reaching access into an organisation’s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. Also, the ability to install a .ZIP file allows for the installation of malware on all of the endpoints managed by the Desktop Central instance.
In the case of the MSP version – which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers – the bug could be used in a supply-chain attack.
Cyber-criminals can simply compromise 1 MSP’s Desktop Central MSP edition & potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.
Zoho ManageEngine released a Knowledge Base entry detailing patches on Mon., and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.
Zoho ManageEngine: Popular for Zero-Day Attacks
The company did not say whether the bug has been under attack as a zero-day vulnerability, but it is likely that cyber-attackers will start targeting it for exploit if they have not already. The ManageEngine platform is a popular one for attackers, given its nature.
In Sept., for example, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine AD SelfService Plus platform was patched; it could allow remote attackers to bypass authentication & have free rein across users’ Active Directory (AD) & cloud accounts. It was under active attack even before it was fixed, according to the Cybersecurity & Infrastructure Security Agency (CISA).
Active Attack
In Dec., the FBI went so far as to issue an official alert after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group.
That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central & to elevate privileges – with an ultimate goal of dropping malware onto organisations’ networks.
