This report is about a vulnerability dubbed CVE-2020-10189 in the ManageEngine Desktop Central software. This software is used to control remote systems with use cases such as IT support. CVE-2020-10189 has been addressed by the vendor with a patch.
Tactics, Techniques, and Procedures
The CVE-2020-10189 vulnerability is caused by the de-serialization of data through untrusted sources attacking the getChartImage in the FileStorage class. This affects two different servlets in the Desktop Central software: CewolfServlet and MDMLogUploaderServlet.
The vulnerability affects ManageEngine Desktop Central versions 10.0.473 and below.
The vulnerability can be exploited remotely allowing bad actors to run packaged code on the server running under SYSTEM/root. Malware can be introduced using this vulnerability with the opportunity to spread malicious artifacts to devices with the agent installed. The getChartImage class does not have built-in validation giving bad actors the ability to execute packaged code.
A successful attack could result in the execution of arbitrary code on the affected system and it may be a vector for malware to spread with the vulnerability being the entry point.
We strongly encourage implementing the patch linked below.
Consider limiting access to ports 8383 and 8443 on your ManageEngine server to only approved hosts.
For securing your ManageEngine Desktop Central instance:
- Utilize HTTPS
- Use a complex password that follows information security best practices
- Enable two-factor authentication
- Disable the default admin account
- Use a forwarding server in a reverse proxy configuration to avoid exposing the Desktop Central instance to the public
IBM X-Force Exchange:
- Mitre CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
- Bleeping Computer Article: https://www.bleepingcomputer.com/news/security/zoho-fixes-no-auth-rce-zero-day-in-manageengine-desktop-central/
- ManageEngine Patch:
- ManageEngine Security Guidance: https://www.manageengine.com/products/desktop-central/security-recommendations.html
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.