Improper access control in Zoho ManageEngine Desktop Central - CVE-2018-13412,CVE-2018-13411
Published: October 3, 2018
Vulnerability identifier: #VU15152
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2018-13412,CVE-2018-13411
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Zoho Corporation
Affected software:
Zoho ManageEngine Desktop Central
Zoho ManageEngine Desktop Central
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure implementation of the administrative functionality within the Self Service Portal on systems installed with Desktop Central Agent. A local unprivileged user can run the "dcagenttrayicon.exe" application with "-ssp" parameter and gain access to Windows command prompt with SYSTEM privileges.
How to mitigate CVE-2018-13412,CVE-2018-13411
Install updates from vendor's website.