Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] ManageEngine ServiceDesk Multiple Vulnerabilties

High

Synopsis

Tenable uncovered a handful of new vulnerabilities in ManageEngine ServiceDesk. This is not Tenable's first go around with ManageEngine ServiceDesk. If you look at our previous advisory you'll see that it took nearly two years to resolve a reflected XSS vulnerability.

A number of months ago, Tenable decided to switch to a 90-day disclosure policy. That seems reasonable to us. It has now been 383 days since ManageEngine acknowledged the vulnerabilities in this advisory. The most egregious of which remain unfixed.

CVE-2017-11511: Arbitrary File Download - No Fix as of 9.3.9328

ServiceDesk provides an endpoint for unauthenticated remote users to download files at /fos-agent/repl/download-file. This endpoint requires a couple of parameters: basedir and filepath. The basedir parameter is a number 1-4. The values correspond to the following directories (on Windows):
  1. C:\ManageEngine\ServiceDesk\bin\..\fileAttachments
  2. C:\ManageEngine\ServiceDesk\bin\..\inlineimages
  3. C:\ManageEngine\ServiceDesk\bin\..\archive
  4. C:\ManageEngine\ServiceDesk\bin\..\..\ServiceDesk
Option 4, C:\ManageEngine\ServiceDesk, is a bit bizarre because it exposes all of the files in the ServiceDesk install. That includes log files and database files.
http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=pgsql\data\pg_log\pgsql_Wed.log
However, that appears to be working as intended. I have to assume that path traversal is not intended behavior though.
http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini

We have assigned this CVE-2017-11511. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.

CVE-2017-11512: Arbitrary File Download - No Fix as of 9.3.9328

ServiceDesk provides an interface for unauthenticated remote users to download snapshots at /fosagent/repl/download-snapshot. This endpoint takes one parameter, name, which is supposed to correspond to the snapshot that you'd like to download. Due to the lack of validation an attacker can use name to traverse directories and download arbitrary files.

http://192.168.1.200:8080/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini

We have assigned this CVE-2017-11512. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.

Various Fixed Authenticated Stored XSS

Fixed in 9.3.9139, an authenticated user could store arbitrary HTML/Javascript in the Job Title field for a Technician via SetupWizard.do.

Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via GroupResourcesDef.do.

Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via ContractDef.do.

Fixed in 9.2.9237, an authenticated user could store arbitrary HTML/Javascript in the Contract ID of a Contract via TaskDetails.cc.

Solution

As of 9.3.9328, no patch exists for the arbitrary file download vulnerabilities. All of the XSS vulnerabilities have been patched as of 9.3.9139.

Disclosure Timeline

2016-10-11 - Issues discovered
2016-10-19 - Advisory drafted
2016-10-19 - Issue reported to vendor via [email protected]
2016-10-20 - Vendor acks email
2016-10-24 - Vendor replies with tracking IDs for each issue, injects ticket ##7497167## in subject
2016-11-24 - Ping vendor for update
2016-11-25 - Vendor says "already started working on the reported issues"
2016-12-20 - Ping vendor for update
2016-12-22 - Vendor provides update on each issue
2017-02-27 - Ping vendor for update
2017-02-27 - Vendor auto-creates ticket ##8027287##
2017-03-01 - Vendor says SD-64421, SD-64422, SD-64423 fixes already. Others fixed in upcoming HotFix.
2017-03-10 - Ask vendor which version fixed the first three.
2017-03-13 - Vendor provides succinct list of three IDs vs fixing versions, yay!
2017-03-25 - Ping vendor about the other two IDs
2017-04-13 - Vendor says Dev is still working on SD-64424 & SD-64425
2017-11-08 - Tenable confirms that the arbitrary download vulnerabilities have not been fixed.
2017-11-08 - Tenable publishes advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.