Customers have been asked by Zoho to patch a critical security flaw impacting several ManageEngine products. “This security advisory is to let you know that critical security vulnerability was detected,” according to Zoho.
Zoho ManageEngine servers have been often targeted. Desktop Central instances, for instance, getting hacked and access to breached organizations’ networks sold on hacking forums starting in July 2020.
Critical SQL Injection Vulnerability
The company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution all contain the flaw, identified as CVE-2022-47523, which is a SQL injection vulnerability.
If the attack is successful, the attackers gain unrestricted access to the backend database and can run custom queries to obtain database table entries.
“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant all [..] users unauthenticated access to the backend database,” Zoho.
“Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
According to Zoho, the problem was resolved last month by properly validating and escaping special characters.
You should first download the most recent upgrade pack for your product before you can upgrade your installation (PAM360, Password Manager Pro, Access Manager Plus).
The most recent build should then be deployed in accordance with the upgrade guidelines listed on each product’s Upgrade Pack page:
Further, a critical ManageEngine vulnerability (CVE-2022-35405) that was exploited in attacks to allow remote code execution on unpatched servers using PAM360, Access Manager Plus, and Password Manager Pro was detected by CISA in September.
Three weeks were given to U.S. Federal Civilian Executive Branch (FCEB) agencies to patch weak systems and make sure their networks would be secure against exploitation attempts.
Notably, Nation-state hackers also attacked ManageEngine servers between August and October 2021 using techniques and tools similar to those used by the APT27 hacking group, which has ties to China.
Recently, the FBI and CISA jointly released two advisories alerting the public to the possibility of state-sponsored attackers’ backdooring critical infrastructure organizations’ networks using ManageEngine flaws.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book