ManageEngine ServiceDesk Plus < 11.3 Build 11306 / ManageEngine ServiceDesk Plus MSP < 10.5 Build 10530 RCE

critical Nessus Plugin ID 155864

Synopsis

The remote web server hosts an application that is affected by a remote code execution vulnerability.

Description

A remote code execution vulnerability exists in ManageEngine ServiceDesk Plus prior to 11.3 Build 11306 and ManageEngine ServiceDesk Plus MSP prior to 10.5 Build 10530 due to a flaw in the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ManageEngine ServiceDesk Plus version 11.3 build 11306 or ManageEngine ServiceDesk Plus MSP version 10.5 Build 10530, or later.

See Also

http://www.nessus.org/u?088fc18e

http://www.nessus.org/u?a2d78a24

http://www.nessus.org/u?33ec753b

Plugin Details

Severity: Critical

ID: 155864

File Name: manageengine_servicedesk_11_3_build11306.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 12/6/2021

Updated: 1/20/2022

Risk Information

CVSS Score Source: CVE-2021-44077

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_servicedesk_plus, cpe:/a:zohocorp:manageengine_servicedesk_plus_msp

Required KB Items: installed_sw/manageengine_servicedesk

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/11/2021

Vulnerability Publication Date: 9/11/2021

CISA Known Exploited Dates: 12/15/2021

Exploitable With

Metasploit (ManageEngine ServiceDesk Plus CVE-2021-44077)

Reference Information

CVE: CVE-2021-44077