SB2017111616 - Multiple vulnerabilities in Zoho ManageEngine Applications Manager
Published: November 16, 2017 Updated: January 1, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Credentials management (CVE-ID: CVE-2016-9489)
The vulnerability allows a remote authenticated user to execute arbitrary code.
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
2) Information disclosure (CVE-ID: CVE-2016-9491)
The vulnerability allows a remote privileged user to gain access to sensitive information.
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2016-9498)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.
4) SQL injection (CVE-ID: CVE-2018-13050)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the j_username parameter in a /j_security_check POST request. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
5) SQL injection (CVE-ID: CVE-2017-16847)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the /showresource.do resourceid parameter in a showPlasmaView action. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
6) SQL injection (CVE-ID: CVE-2017-16848)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the /manageConfMons.do groupname parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
7) SQL injection (CVE-ID: CVE-2017-16849)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the /MyPage.do?method=viewDashBoard forpage parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
8) SQL injection (CVE-ID: CVE-2017-16851)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the /MyPage.do widgetid parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- http://seclists.org/fulldisclosure/2017/Apr/9
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html
- https://www.securityfocus.com/bid/97394/
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9491.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9498.html
- https://github.com/x-f1v3/ForCve/issues/1
- https://www.manageengine.com/products/applications_manager/issues.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2018-13050.html
- http://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16847.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16849.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16851.html