Aperçu
Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability caused by improper access control that allows unauthenticated attackers to execute arbitrary code on the Desktop Central MSP (Managed Service Provider) server. This critical vulnerability requires no authentication and can be exploited remotely. La vulnérabilité a été divulguée le December 12, 2021. CISA a identifié CVE-2021-44515 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Zoho ManageEngine Desktop Central contains multiple authentication bypass vulnerabilities that allow unauthenticated remote attackers to execute arbitrary code on the server. The vulnerability stems from improper access control mechanisms that fail to properly validate user authentication before allowing access to sensitive endpoints. Attackers can exploit these bypass mechanisms to gain unauthorized access to administrative functions and execute arbitrary commands with system privileges.
La vulnérabilité est classifiée comme CWE-287 (Improper Authentication) , CWE-284 (Improper Access Control) etCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the Desktop Central MSP server with system privileges. This allows complete compromise of the affected system, including: unauthorized access to sensitive management data, installation of malware or backdoors, lateral movement to managed endpoints through the Desktop Central console, exfiltration of credentials and sensitive information, and disruption of service availability. In an MSP environment, this could affect multiple customer organizations.
Mitigation et contournements
Zoho recommends immediate upgrade to the latest patched versions. Download and install security updates from Zoho's support portal at https://www.manageengine.com/products/desktop-central/. For MSP instances, priority should be given to applying patches. Customers should verify their current version via Administration > General Settings > About. Les versions suivantes incluent les correctifs nécessaires : Desktop Central 10.0.2181 and later, Desktop Central 10.1.2164.21 and later, Desktop Central 10.2.2156.10 and later, Desktop Central MSP 10.0.2181 and later, Desktop Central MSP 10.1.2164.21 and later, Desktop Central MSP 10.2.2156.10 and later.
Comme contournements temporaires : restrict network access to the desktop central server (default ports 8020 and 8383) using firewall rules. limit access to trusted administrator ip addresses and networks only.; implement network segmentation to isolate the desktop central server from untrusted networks and the internet.; use a reverse proxy or waf (web application firewall) to add additional authentication layers and monitor suspicious access patterns., et disable internet-facing desktop central instances if not required for msp operations..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
