Path traversal and bundled PostgreSQL vulnerabilities in Zoho ManageEngine OpManager



Published: 2020-06-25
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2020-1720
CVE-2019-3466
CVE-2020-10733
CWE-ID CWE-22
CWE-285
CWE-264
CWE-426
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Zoho ManageEngine OpManager
Client/Desktop applications / Other client software

Vendor Zoho Corporation

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU29287

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences using <cachestart>. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine OpManager: 12.5 125000 - 12.5 125161


CPE2.3 External links

http://www.manageengine.com/network-monitoring/help/read-me-complete.html?125127

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authorization

EUVDB-ID: #VU25333

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1720

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform unauthorized modification of data in database.

The vulnerability exists due to the ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine OpManager: 12.5 125000 - 12.5 125161


CPE2.3 External links

http://www.manageengine.com/network-monitoring/help/read-me-complete.html?125127

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22785

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-3466

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to pg_ctlcluster does not drop privileges before creating sockets and temporary directories outside "/var/run/postgresql". A local user can create arbitrary directories on the system during application startup or reload and elevate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine OpManager: 12.5 125000 - 12.5 125161


CPE2.3 External links

http://www.manageengine.com/network-monitoring/help/read-me-complete.html?125127

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Untrusted search path

EUVDB-ID: #VU27923

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10733

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on he system.

The vulnerability exists due to Windows installer runs  executables from uncontrolled directories. A local user can trick the victim to install PostgreSQL from a directory that contains a malicious files and execute arbitrary code on the system with elevated privileges.

Note, this vulnerability affects Windows installer only.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zoho ManageEngine OpManager: 12.5 125000 - 12.5 125161


CPE2.3 External links

http://www.manageengine.com/network-monitoring/help/read-me-complete.html?125127

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###