#VU15152 Improper access control in Zoho ManageEngine Desktop Central
Vulnerability identifier: #VU15152
Vulnerability risk: Low
CVSSv3.1: 8.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Zoho ManageEngine Desktop Central
Universal components / Libraries /
Software for developers
Vendor: Zoho Corporation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure implementation of the administrative functionality within the Self Service Portal on systems installed with Desktop Central Agent. A local unprivileged user can run the "dcagenttrayicon.exe" application with "-ssp" parameter and gain access to Windows command prompt with SYSTEM privileges.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Zoho ManageEngine Desktop Central: 10.0.200 - 10.0.276
External links
http://github.com/AJ-SA/Zoho-ManageEngine/blob/master/README.md
http://www.manageengine.com/products/desktop-central/elevation-of-system-privilege.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
