Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R2] ManageEngine OpManager / Service Desk Multiple Vulnerabilities

High

Synopsis

#1: CVE-2016-82014: Operations Manager - An SQL injection flaw was reported to ManageEngine on 2014/08/19 by Andrea Micalizzi (rgod), affecting version 11.3 and 11.4 of ManageEngine OpManager, and said to be patched in version 11.5 on 2014/11/10. This issue was assigned CVE-2014-7867 / VulnDB 114479, summarized as "ManageEngine OpManager /servlet/APMBVHandler OPM_BVNAME Parameter SQL Injection". While working on detection plugins for the Nessus vulnerability scanner, one of our research engineers discovered that the patch for this issue does not fully mitigate the problem. The other two SQL injection issues reported at the same time appear to be fully patched now in version 11.5.

The issue is due to the patch being a direct response to the original exploit string:

POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+

The patch to the getDevicesInBusinessView() function in DeviceDetailsUtil.class of OpManagerServerClasses.jar was modified as such:


        System.out.println("update view:" + bool);
        if (str1.toLowerCase().indexOf("create table") != -1) {
          try
          {
            paramHttpServletResponse.sendError(403, "Probe name to be added/updated is not a valid one");
            return;
          }
          catch (Exception localException2) {}

Thus, if an exploit is crafted that uses SQL syntax other than 'create table', it still works.

#2: CVE-2016-82015: Operations Manager - During internal testing of our detection plugin, the same engineer noticed that there is a reflected cross-site scripting (XSS) vulnerability in the OPM_BVNAME parameter of the APMBVHandler servlet, that displays the injected content without filtering in the ViewName property. This affects versions 11.3, 11.4, and 11.5 of ManageEngine OpManager, but the patch provided for the SQL injection issues also fixes this, and version 11.5 is not affected when the patch is applied.

#3: Service Desk - On January 23, 2015, two enumeration issues were reported to be fixed in ManageEngine Service Desk covered by VulnDB 117583 and 117584:

117583 2015-01-23 ManageEngine Service Desk /servlet/AJaxServlet Multiple Action Remote Username Enumeration
117584 2015-01-23 ManageEngine Service Desk /domainServlet/AJaxDomainServlet searchLocalAuthDomain Action Remote User / Domain Enumeration

These were reported to be fixed in version 9.0 Build 9031. However, internal testing by one of our engineers indicates that in versions 9.0 Build 9031 and 9.0 Build 9045, the AjaxDomainServlet issue is not patched. It appears that the fix removes the JavaScript that auto-fills out the domain on the login form, but the public facing servlet is left in place. This allows a remote attacker to invoke the servlet directly to enumerate a user and their domain.

Solution

Service Desk: The user enumeration is fixed with a new web.xml made available by the vendor for any version.

Operations Manager: The XSS in OPM_BVNAME has been fixed in version 11.6 or later. Optionally, the SQLi patch (link above) can be applied to version 11.3, 11.4, or 11.5 to mitigate the issue. The SQLi in OPM_BVNAME appears to be fully fixed in version 11.6 or later, including 12 Build 12000.

Disclosure Timeline

2014-11-10 - SQLi patch released (unknowingly fixing issue #2)
2015-02-10 - SQLi issue discovered
2015-06-22 - OpManager 11.6 released (fixing issue #1)
2015-06-23 - Vendor Informed via Web Form https://www.manageengine.com/manageengine-security-response-center.html 'Data added succesfully' but 'View Log Details' errored out.
2015-06-29 - Follow-up sent asking if different comms available, since no reply to last web form report.
2015-06-29 - Automated reply from [email protected] assigning request ID ##2255088
2015-06-29 - Vendor human reply saying details did not come through originally, please re-send
2015-06-29 - Vuln details shared via email
2015-07-06 - Pinged vendor asking if details received, issues confirmed
2015-07-07 - Vendor confirmed receiving mail, asks for config information
2015-07-13 - Vendor sends new web.xml to resolve SQLi, asks us to confirm
2015-07-13 - Let vendor know the new web.xml appears to solve the issue fully
2015-08-20 - Ping vendor about final resolution status
2015-08-20 - Request CVE
2015-09-08 - Ping CVE about assignments
2015-09-24 - Request ID ##7283732 somehow injected into process
2015-09-24 - Vendor mail saying 3 of 4 issues fixed in 9.0 Build 9030
2015-09-24 - Tenable asks for clarification, as 9.0 Build 9031 was tested and found vuln. Asks for clarification on OpManager solution.
2015-09-24 - Vendor provides solution for enumeration issue to test
2015-10-06 - Tenable tests solution, does not resolve issue. Communicated details.
2015-10-06 - ManageEngine sends spam offering ServiceDesk Training
2015-10-07 - Vendor provides second solution for enumeration issue to test
2015-10-12 - Tenable verifies the solution works on the latest minor build, asks what version will fix
2015-11-24 - Tenable asks again for fix version information
2015-11-24 - Vendor replies "latest version", Tenable asks which version first fixed
2015-11-29 - Vendor says read changelog, which doesn't clearly show fixes.
2015-11-30 - Tenable asks for SPF tracking numbers to compare to changelog.
2015-12-09 - MITRE denies request for CVE due to "unusually high probability of being a duplicate or having abstraction issues"
2015-12-21 - Tenable asks for SPF information again
2015-12-22 - Vendor asks for Support # (the ones carried in the email subject, but we reply anyway)
2016-01-11 - Tenable asks for SPF information again
2016-03-15 - Tenable asks for SPF information again
2016-03-15 - Auto reply assigning ##2453700
2016-03-18 - Tenable emails a new security contact asking for help resolving this
2016-03-19 - Zoho security team will follow-up, gives us better reporting address
2016-03-21 - Vendor replies they are looking into it, and XSS issue was assigned SD-62587
2016-03-21 - Vendor provides workaround for XSS issue for us to test
2016-03-30 - Tenable tests several revisions, verifies all issues are fixed or a workaround is available. Tells vendor to close the three tickets.
2016-03-31 - ##2255088 closed
2016-04-18 - ##7283732 closed

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]