#VU15152 Improper access control in Zoho ManageEngine Desktop Central - CVE-2018-13412,CVE-2018-13411
Published: October 3, 2018
Vulnerability identifier: #VU15152
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2018-13412,CVE-2018-13411
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Zoho ManageEngine Desktop Central
Zoho ManageEngine Desktop Central
Software vendor:
Zoho Corporation
Zoho Corporation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure implementation of the administrative functionality within the Self Service Portal on systems installed with Desktop Central Agent. A local unprivileged user can run the "dcagenttrayicon.exe" application with "-ssp" parameter and gain access to Windows command prompt with SYSTEM privileges.
Remediation
Install updates from vendor's website.