===================================================================== CERT-Renater Note d'Information No. 2021/VULN640 _____________________________________________________________________ DATE : 07/12/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zoho Desktop Central, Zoho Desktop Central MSP. ===================================================================== https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html _____________________________________________________________________ An authentication bypass vulnerability identified and fixed in Desktop Central and Desktop Central MSP Reeni B Announcement3 days ago Hello! This notification is in regard to an authentication bypass vulnerability that was recently identified in Desktop Central. This applies to Desktop Central MSP as well. Registered as CVE-2021-44515, this vulnerability has now been fixed and released in our latest build on 3rd December 2021. What is the issue? An authentication bypass vulnerability in ManageEngine Desktop Central that could result in remote code execution. What is the impact of the issue? If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution. What is the severity of the issue? We consider the severity of this vulnerability to be critical. Is this issue applicable to you? How to identify and mitigate it? We have talked about this in detail in the following documents: KB for Desktop Central and KB for Desktop Central MSP. To verify if this vulnerability applies to your set-up and to remediate it, please follow the steps mentioned there. Note: As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible. Additional Recommendation: Please follow the security hardening guidelines to ensure all the security controls and protections are configured to keep your Desktop Central environment secure. Rest assured that we continuously strive to take appropriate security measures and adapt to relevant security controls in our products. If you need any further assistance, our support team is always ready to help. Please reach out to us at desktopcentral-security@manageengine.com for Desktop Central and msp-desktopcentral-support@manageengine.com for Desktop Central MSP. Cheers, Team Desktop Central. _____________________________________________________________________ CVE-2021-44515: Security Advisory This document addresses an authentication bypass vulnerability (CVE-2021-44515) in ManageEngine Desktop Central and provides an incident response plan if your system is affected. Vulnerability ID: CVE-2021-44515 Severity: Critical Update Release Date: 3rd December 2021 Fix Build: i) For Enterprise- For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18 For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3 ii) For MSP- For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18 For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3 What was the problem? An authentication bypass vulnerability in ManageEngine Desktop Central was identified and the vulnerability can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server. Note: As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible. How do I check if my installation is affected? We have developed an Exploit Detection Tool that will help you identify whether your installation has been affected by this vulnerability. You can download the tool here. Once you have downloaded the file, follow these steps: Extract the tool to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, whichever is applicable for you. Open command prompt with admin privilege and navigate to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder. Run the command RCEScan.bat As shown in the screenshots below, if your installation is affected, you will be thrown the message "Exploit Detected". If your installation is safe, you will see the message "No Exploit Detected". Here are some of the Indicators of Compromise (IOC) for this vulnerability (CVE 2021-44515): Navigate to \lib and check if you can find the file aaa.zip ( md5 - 9809bdf6e9981fbc3ad515b731124342 ). Navigate to \webapps\DesktopCentral\html and check if you can find the file help_me.jsp Incident Response Plan If affected: 1. Disconnect the affected system from your network. 2. Back up the Desktop Central database using these steps. 3. Format the compromised machine. Note: Before formatting the machine, ensure that you have backed up all critical business data. 4. Follow these steps to restore Desktop Central. The build version of the new installation should be the same as that of the database backup taken in step 2. It is highly recommended to utilize a different machine for the new installation. 5. Mandatory step: Once the server is up and running, update Desktop Central to the latest build using the following steps: i) Log in to your Desktop Central console, click on your current build number on the top right corner. ii) You can find the latest build. Download the PPM and update. Recommendation: Initiate a password reset for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine. It is better if AD administrator passwords are also reset. If not affected: Mandatory step: Update Desktop Central to the latest build using the following steps: i) Log in to your Desktop Central console, click on your current build number on the top right corner. ii) You can find the latest build. Download the PPM and update. Note: This vulnerability is not applicable to Desktop Central Cloud. For further assistance, please contact desktopcentral-security@manageengine.com Keywords: Security Updates, Vulnerabilities and Fixes, CVE-2021-44515, authentication bypass _____________________________________________________________________ CVE-2021-44515: Security Advisory This document addresses an authentication bypass vulnerability (CVE-2021-44515) in ManageEngine Desktop Central MSP and elaborates an incident response plan if your system is affected. Vulnerability ID: CVE-2021-44515 Severity: Critical Update Release Date: 3rd December 2021 What was the problem? An authentication bypass vulnerability in ManageEngine Desktop Central MSP was identified and the vulnerability can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central MSP server. Note: As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible. How do I check if my installation is affected? We have developed an Exploit Detection Tool that will help you identify whether your installation has been affected by this vulnerability. You can download the tool here. Once you have downloaded the file, follow these steps: Extract the tool to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder, whichever is applicable for you. Open command prompt with admin privilege and navigate to \ManageEngine\UEMS_CentralServer\bin folder or \ManageEngine\DesktopCentral_Server\bin folder. Run the command RCEScan.bat As shown in the screenshots below, if your installation is affected, you will be thrown the message "Compromised". If your installation is unaffected, you will receive the message "Not Compromised". Incident Response Plan If affected: 1. Disconnect the affected system from your network. 2. Back up the Desktop Central MSP database using these steps. 3. Format the compromised machine. Note: Before formatting the machine, ensure that you have backed up all critical business data. 4. Download and install Desktop Central MSP. The build version of the new installation should be the same as that of the database backup taken in step 2. It is highly recommended to utilize a different machine for the new installation. 5. Restore the backup and start the server. 6. Once the server is up and running, update Desktop Central MSP to the latest build using the following steps: Log in to your Desktop Central MSP console, click on your current build number on the top right corner. You can find the latest build. Download the PPM and update. Recommendation: Initiate a password reset for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine. It is better if AD administrator passwords are also reset. If not affected: Update Desktop Central MSP to the latest build using the following steps: Log in to your Desktop Central MSP console, click on your current build number on the top right corner. You can find the latest build. Download the PPM and update. Keywords: Security Updates, Vulnerabilities and Fixes, CVE-2021-44515, authentication bypass ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================