CVE-2020-10189: Zoho ManageEngine Vulnerability Still Dangerous Nearly a Year Later - The Monitor, Issue 15

Zoho ManageEngine Desktop Central is an endpoint management solution offered by Zoho. A server running this software can push updates to managed systems, remotely control and lock them, apply access controls and more. In March 2020, a remote code execution (RCE) vulnerability was identified (tracked as CVE-2020-10189) in the ManageEngine software due to the deserialization of untrusted, user-controlled input in the getChartImage function of the FileStorage class within the application. An unauthenticated user can exploit this vulnerability to gain code execution with the same permissions as the ManageEngine software.

One of the reasons for the ongoing importance of this vulnerability is the fact that it is commonly used by managed service providers (MSPs) as part of their offerings to clients. If an MSP is running a vulnerable version of ManageEngine (earlier than 10.0.474), exploitation of the vulnerability potentially provides access to all of their customers’ networks and devices.

Why This Vulnerability is so Critical

CVE-2020-10189 receives a common vulnerability scoring system (CVSS) 3.x score of 9.8. This means that the vulnerability is labeled as “critical” based upon potential exploitability and impact, for several reasons:

Unauthenticated RCE
The vulnerability exists in publicly-exposed functionality. This means that any unauthenticated user can access a vulnerable server exposed to the internet and achieve remote code execution.

Elevated Permissions
Exploitation of this vulnerability enables an attacker to run commands on the vulnerable server with SYSTEM permissions. This is the highest level of permissions on Windows systems and enables the attacker to perform nearly any action on the system.

Device Management
The ManageEngine software is designed to enable centralized management of a number of devices on the network. Exploitation of a single server provides the ability to push updates, remotely control and control access of all managed devices.

When the vulnerability was published in March 2020, approximately 2,300 instances of ManageEngine were publicly exposed on the internet. This is likely an underestimate of the number of potentially vulnerable machines as some will have been deployed to be only accessible internally. However, for these internal devices, compromise of a single device on the network could enable exploitation of the vulnerability to gain control of all managed devices.

CVE-2020-10189 Remains Relevant

CVE-2020-10189 received a patch the day after its publication, but nearly a year later this vulnerability remains relevant, thanks to its flexibility and recent involvement in a data breach in which a red team toolkit was exposed. This vulnerability is one of several used by this toolkit, meaning CVE-2020-10189 has gained new visibility and less sophisticated cyber threat actors now have the ability to effectively exploit it. This exploitation has been demonstrated several times, through commercial, off-the-shelf applications where the domain controller of a system was manipulated. Threat actors have left system disks intact but encrypted other drives through a connected service account. To prevent an infiltration like this, it is important to ensure that if a service account is needed, it runs with minimal privileges.  

Examples of ManageEngine Exploits

In one of our recent ransomware engagements, Kroll investigators identified the exploitation of the ManageEngine remote code execution vulnerability on March 8, 2020, three days after the vulnerability was published. The threat actor utilized the Windows Background Intelligent Transfer Service (BITS) to download a malicious batch file from a virtual private server hosting provider. The threat actor utilized Cobalt Strike to facilitate lateral movement within the client's network and solidified their foothold by creating a scheduled task that would run daily to download and install the software. Soon after executing a network enumeration tool on two domain controllers to identify hosts on the client's network, the threat actor began encrypting endpoints.

Kroll Experts Corner: Protecting Against CVE-2020-10189

This vulnerability only exists in versions 10.0.474 and earlier. Updating affected software will close the vulnerability. Additionally, configuring firewall rules and access controls to minimize access to the affected server can help to limit the exploitability of this and other potential vulnerabilities in the software. 

Security professionals can find powerful resources to help their teams stay up to date with new vulnerabilities from MITRE and NIST.

It’s important to remember there are many legitimate reasons for a company to keep an unpatched vulnerability in place for business or operational reasons. Maintaining a program that can monitor and understand the impact of new vulnerabilities to determine how soon to patch requires considerable resources, beyond what many smaller teams can undertake. A mature cyber security program would balance vulnerability management investments with a stronger ability to detect and respond to incidents, which provides a more robust defensive posture.

The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.