====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN114
_____________________________________________________________________

DATE                : 09/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zoho ManageEngine Desktop Central
                             versions prior to 10.0.479.

=====================================================================
https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html
_____________________________________________________________________

ManageEngine Desktop Central remote code execution vulnerability
(CVE-2020-10189)

This document explains the unauthenticated remote code execution
vulnerability in Desktop Central which was reported by Steven Seeley of
Source Incite. The short-term fix for the arbitrary file upload
vulnerability was released in build 10.0.474 on January 20, 2020. In
continuation of that, the complete fix for the remote code execution
vulnerability is now available in build 10.0.479.

Note: This vulnerability will not impact Secure Gateway Server.
Customers using builds that include the short-term fix are not
vulnerable to this exploit.


What was the problem?

This vulnerability could allow remote attackers to execute arbitrary
code on affected installations of Desktop Central. Authentication is not
required to exploit this vulnerability.


How do I fix it?

Please update to the latest version 10.0.479 released on March 7, 2020.

The patch and the steps to install it can be found in this page:
https://www.manageengine.com/products/desktop-central/service-packs.html.


How do I fix it manually?

If you face any difficulties in applying patch, you can follow manual
steps given below to fix the vulnerability.

    Remove the content below from the file web.xml in the path
\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\WEB-INF\web.xml.

    <servlet-mapping>

    <servlet-name>MDMLogUploaderServlet</servlet-name>

    <url-pattern>/mdm/mdmLogUploader</url-pattern>

    <url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>

    </servlet-mapping>



    <servlet>

    <servlet-name>MDMLogUploaderServlet</servlet-name>


<servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>

    </servlet>



    <servlet-mapping>

    <servlet-name>CewolfServlet</servlet-name>

    <url-pattern>/cewolf/*</url-pattern>

    </servlet-mapping>



    <servlet>

    <servlet-name>CewolfServlet</servlet-name>

    <servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>



    <init-param>

    <param-name>debug</param-name>

    <param-value>false</param-value>

    </init-param>

    <init-param>

    <param-name>overliburl</param-name>

    <param-value>/js/overlib.js</param-value>

    </init-param>

    <init-param>

    <param-name>storage</param-name>

    <param-value>de.laures.cewolf.storage.FileStorage</param-value>

    </init-param>



    <load-on-startup>1</load-on-startup>
    </servlet>
    Restart the desktopcentral service.


Disclaimer: After following the mitigation steps listed above, Desktop
Central users will not be able to upload logs from a mobile device.


Keywords: Security Updates, Vulnerabilities and Fixes, SRC-2020-0011.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================