Attention Constituent:
#########################################
## S E C U R I T Y A D V I S O R Y ##
#########################################
Title : Multiple Nation-State Threat Actors Exploit Multiple
Zoho ManageEngine products
Advisory ID : CIRT-BS-2023-0004
Version : 1.00
Probability : high
CVE ID : CVE-2022-47966
(http://cve.mitre.org/cve/)
Damage : high
Remote Code Execution
Publication date : 20231016
Product(s) : Manageengine ServiceDesk
Zoho ManageEngine Remote Access Plus Server
zohocorp ManageEngine Key Manager Plus 6.4 6450
Zohocorp ManageEngine ServiceDesk Plus
Zohocorp Zoho Corp ManageEngine ADManager Plus
Zohocorp Zoho Corp ManageEngine ADSelfService Plus
6.2 6217
Zohocorp Zoho Corp ManageEngine Applications 16.4
Build16440
Zohocorp Zoho Corp ManageEngine Browser Security
Plus
Zohocorp Zoho Corp ManageEngine Vulnerability
Manager Plus
Zohocorp Zoho Corporation ManageEngine Access
Manager Plus 4.3 Build4309
Zohocorp Zoho Corporation ManageEngine Analytics
Plus 5.2 5210
Zohocorp Zoho Corporation ManageEngine AssetExplorer
6.9 6988
Zohocorp Zoho Corporation ManageEngine Device
Control Plus
Zohocorp Zoho Corporation ManageEngine Endpoint DLP
Plus
Zohocorp Zoho Corporation ManageEngine Remote Access
Plus
Zohocorp Zoho Corporation ManageEngine Servicedesk
Plus
Zohocorp Zoho Corporation Manageengine Adaudit Plus
7.0.0 7055
Version(s) : -14003 and below
-10.1.2228.10 and below
-6400 and below
-14003 and below
-7161 and below
-6210 and below
-10.1.2220.17 and below
-11.1.2238.5 and below
-10.1.2220.17 and below
-4307 and below
-5140 and below
-6982 and below
-10.1.2220.17 and below
-10.1.2228.10 and below
-10.1.2228.10 and below
-14003 and below
-7080 and below
Platform(s) :
Summary
This advisory addresses an unauthenticated remote code execution
vulnerability reported and patched in some ManageEngine OnPremise
products due to the usage of an outdated third party dependency,
Apache Santuario.
Consequences
Exploitation of CVE-2022-47966 allowed the threat actors to gain
root level access on the server which was then leveraged to create a
local user account with administrator privileges. From there the APT
actor continued to explore and move laterally through the
organization’s network including attempting to exfiltrate Local
Security Authority Subsystem Service (LSASS) hashes. The APT actors
also utilized legitimate applications and tools like Mimikatz, nmap
and Metasploit.
Description
Security advisory for remote code execution vulnerability in
multiple ManageEngine products
Solution
ManageEngine released updates for all affected products to resolve
this issue. To remediate these vulnerabilities download and install
the relevant “ManageEngine Upgrade Pack”. ManageEngine
On-Demand/cloud products are not affected by this vulnerability.
More information about the vulnerability can be found here:
https://www.manageengine.com/security/advisory/CVE
/cve-2022-47966.html
Best,
|