ManageEngine apps exist critical flaws, over half of Fortune 500 companies were affected

Digital security company Digital Defense announced on Tuesday the six security vulnerabilities discovered by the company’s vulnerability research team (VRT) in ManageEngine products. The products involved include Logs360, EventLog Analyzer and Applications Manager.

The ManageEngine product line focuses on IT management within the enterprise. According to the company, from the Fortune 500 to SMEs, more than 120,000 companies in more than 200 countries and regions around the world are using ManageEngine tools to manage their network infrastructure, data centers, business systems, IT services and security. It is worth mentioning that three out of every five Fortune 500 companies use the technical support provided by ManageEngine.

In general, vulnerabilities in enterprise software can have catastrophic consequences, especially when they are rated critical by the Common Vulnerability Scoring System (CVSS).

Let’s take a look at the specific details of these six vulnerabilities:

1. DDI-VRT-2018-10
   Description: Allows an anonymous attacker to upload arbitrary files via /agentUpload, eventually leading to remote code execution
   Affected apps/versions:
   EventLog Analyzer 11.8 (Build 11080)
   Log360 5.3 (Build 5036)
2. DDI-VRT-2018-11
   Description: Allows an authenticated attacker to perform a covert SQL injection via / servlet / aam_servercmd, eventually causing the victim to lose full control of the device.
   Affected apps/versions :
   Applications Manager 13 (Build 13420)
3. DDI-VRT-2018-12
   Description: Allows an authenticated attacker to perform a covert SQL injection via / servlet / SyncEventServlet, eventually causing the victim to lose full control of the device.
   Affected apps/versions:
   Applications Manager 13 (Build 13420)
4. DDI-VRT-2018-13
   Description: Allows an authenticated attacker to steal local files via / servlet / FailOverHelperServlet.
   Affected apps/versions:
   Applications Manager 13 (Build 13420)
5. DDI-VRT-2018-14
   Description: Allows an anonymous attacker to perform a covert SQL injection via / servlet / MenuHandlerServlet, which eventually results in the victim losing full control of the device.
   Affected apps/versions:
   Applications Manager 13 (Build 13420)
6. DDI-VRT-2018-15
   Description: Allows an anonymous attacker to steal the API key via / servlet / OPMRequestHandlerServlet.
   Affected apps/versions:
   Applications Manager 13 (Build 13420)

Vulnerabilities research team said that they have reported the vulnerability to ManageEngine, and ManageEngine has provided corresponding security patches for every vulnerability identified on the application. At the same time, the patched applications can already be downloaded from the ManageEngine website.