Pierluigi Paganini January 24, 2023

US CISA added the Zoho ManageEngine RCE vulnerability CVE-2022-47966 to its Known Exploited Vulnerabilities Catalog.

The US CISA added the Zoho ManageEngine remote code execution flaw (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog.

The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The vulnerability was addressed by the company on October 27th, 2022.

The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario.

“This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.” reads the advisory.

Horizon3 researchers released last week a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis. The experts developed the PoC exploit by examining the differences between ServiceDesk Plus version 14003 and version 14004. 

“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of  using an outdated version of Apache Santuario for XML signature validation.” reads the analysis. “One of the critical pieces is understanding that the information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). In this attack, we send a request containing malicious SAML XML directly to the service provider’s Assertion Consumer (ACS) URL.”

The researchers tested their PoC exploit against Endpoint Central, however, they believe it can work on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.

“In summary, when Apache Santuario is <= v1.4.1, the vulnerability is trivially exploitable and made possible via several conditions:

• Reference validation is performed before signature validation, allowing for the execution of malicious XSLT transforms.
• Execution of XSLT transforms allows an attacker to execute arbitrary Java code.” concludes the report.

The good news is that at the time of the report, researchers are not aware of attacks exploiting this vulnerability, however, researchers warn that threat actors can start attempting to exploit it soon.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by February 13, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]