Researchers release PoC vulnerability for critical Zoho RCE bug, patch now

A proof-of-concept exploit will be released later this week for a critical vulnerability that allows remote code execution (RCE) without authentication in multiple VMware products.

Tracked as CVE-2022-47966, this pre-built security flaw for RCE is due to the use of an outdated and vulnerable third-party dependency, Apache Santuario.

A successful exploit allows unauthenticated threat actors to execute arbitrary code on ManageEngine servers if SAML-based single sign-on (SSO) is enabled or enabled at least once before the attack.

The list of vulnerable software includes almost all of ManageEngine’s products. However, fortunately, Zoho has already patched them in waves starting on October 27, 2022, by updating the third-party module to a newer version.

Incoming “spray and pray” attacks

On Friday, security researchers with the Horizon3 attack team warned The maintainers say they have created a proof-of-concept (PoC) exploit for CVE-2022-47966.

“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet. This vulnerability allows remote code execution such as NT AUTHORITY\SYSTEM, essentially giving the attacker full control of the system,” Horizon3 vulnerability researcher James Horsman said. .

If the user determines that they have been compromised, additional investigation is required to determine any damage caused by the attacker. Once the attacker has gained SYSTEM level access to the endpoint, the attackers are likely to begin scraping credentials via LSASS or leveraging existing public tools to access data. Adopt the application stored to perform the lateral movement.”

Although they have not yet released technical details and indicators of joint settlement (IOCs) that defenders can use to determine if their systems have been compromised, Horizon3 release plans PoC exploit later this week.

Horizon3 researchers have also shared the following screenshot showing their exploit in action against a vulnerable instance of ManageEngine ServiceDesk Plus.

CVE-2022-47966 PoC exploit
Exploit CVE-2022-47966 PoC (Horizon3)

10% of all exposed instances are vulnerable to attacks

While digging through just two vulnerable ManageEngine products, ServiceDesk Plus and Endpoint Central, Horseman found thousands of unpatched servers exposed online via Shodan.

Among them, SAML is also enabled in the hundreds, with an estimated 10% of all exposed ManageEngine products affected by CVE-2022-47966 attacks.

While there have been no public reports of attacks taking advantage of this vulnerability and no attempts to exploit it in the wild according to cybersecurity firm GreyNoise, eager attackers will likely move quickly to create their own RCE vulnerabilities once Horizon3 publishes their PoC code, even if they release Simplified version.

Previously released Horizon3 exploit code for:

  • CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that could allow attackers to compromise Active Directory accounts,
  • CVE-2022-1388, Fatal Error Enables Remote Code Execution in F5 BIG-IP Networking Devices,
  • and CVE-2022-22972, an important authentication bypassing vulnerabilities in several VMware products that allow threat actors to gain administrator privileges.

Zoho ManageEngine servers have come under constant attack in recent years, with the country’s hackers using tactics and tools similar to those of the China-linked APT27 hacking group that targeted it between August and October 2021.

Instances of Desktop Central were also compromised in July 2020, with threat actors selling access to the compromised organizations’ networks on hacking forums.

After this and other massive attack campaigns, the FBI and CISA issued joint guidelines [1, 2] Warning against state-backed attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.

#Researchers #release #PoC #vulnerability #critical #Zoho #RCE #bug #patch

Leave a Comment

Your email address will not be published. Required fields are marked *