Flaws in ManageEngine apps opens enterprise systems to compromise

Researchers have discovered multiple severe vulnerabilities in ManageEngine’s line of tools for internal IT support teams, which are used by over half of Fortune 500 companies.

About the vulnerabilities

The first flaw affects EventLog Analyzer 11.8 and Log360 5.3, and could be exploited to achieve remote code execution with the same privileges as the user that started the application, by uploading a web shell to be written to the web root.

The rest of the vulnerabilities are found in Applications Manager 13:

• Several unauthenticated blind SQL injections. The flaws can lead to full compromise of the Applications Manager application, which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.
• An unauthenticated local file inclusion vulnerability that can be misused for unearthing sensitive information.
• An unauthenticated API key disclosure vulnerability that could be leveraged to compromise the application and the host.

More specific details can be found in this advisory.

Patches area available

The good news is that ManageEngine has been informed of the vulnerabilities and has already moved to solve the problem.

“ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications. Patches can be downloaded from the ManageEngine site,” the researchers noted.