Zoho ManageEngine flaw is actively exploited, CISA warns

A remote code execution vulnerability in Zoho’s ManageEngine, a popular IT management solution for enterprises, is being exploited in the wild. The US Cybersecurity & Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities last week, highlighting an immediate threat for organizations that haven’t yet patched their vulnerable deployments.

The vulnerability, tracked as CVE-2022-3540, was privately reported to Zoho in June by a security researcher identified as Vinicius and was fixed later that same month. The researcher posted a more detailed writeup at the beginning of this month and, according to him, it’s a Java deserialization flaw inherited from an outdated version of Apache OFBiz, an open-source enterprise resource planning system, where it was patched in 2020 (CVE-2020-9496). This means that the Zoho ManageEngine products were vulnerable for two years due a failure to update a third-party component.

Normally, Apache OFBiz exposes an XML-RPC endpoint at /webtools/control/xmlrpc, which can receive unauthenticated requests. Those requests can contain serialized arguments that are then deserialized and if the classpath contains any dangerous classes, remote code execution can be achieved. In the context of the OFBiz server, the attacker can run arbitrary system commands with the privileges of the servlet container running the server.

Several Zoho ManageEngine products contain this component and expose the XML-RPC endpoint at /xmlrpc. One of the affected products is Zoho Password Manager Pro (PMP), which runs with NT Authority/system permissions, so successful exploitation can give an attacker full control over the server and access to the internal network.

In addition to Zoho Password Manager Pro, the vulnerability was also found in ManageEngine Access Manager Plus, a web-based privileged session management solution for tracking remote connections, and ManageEngine PAM360, a privileged access management solution. All the impacted products are used for authentication and access management, so compromising any of them can have serious implications for an organization.

Zoho advises users to upgrade to Access Manager Plus version 4303 or later, Password Manager Pro version 12101 or later and PAM360 5510 or later. The company says it has fixed the flaw by completely removing the vulnerable component from PAM360 and Access Manager Plus and removing the vulnerable XML-RPC parser from Password Manager Pro.

How to check for the ManageEngine vulnerability

Its security advisory includes steps for determining if a deployment has been targeted and potentially compromised:

1. Navigate to /logs.
2. Open the access_log_.txt file.
3. Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.
4. Search for the following line in the logs files. If it is present, then your installation is compromised:

[/xmlrpc-_###_https-jsse-nio2--exec-] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetException

If an installation has been compromised, isolate the affected machine immediately and initiate an incident response investigation. Zoho asks users to send them a copy of all the application logs if a compromise has been detected.