Severe zero-day vulnerabilities have been discovered in ManageEngine products used by a substantial number of Fortune 500 companies.
On Wednesday, researchers from Digital Defense disclosed the bugs, discovered by the firm's Vulnerability Research Team (VRT).
In a security advisory, the team said that six previously unknown vulnerabilities impact three ManageEngine products, Logs360, EventLog Analyzer and Applications Manager.
The ManageEngine product range is focused on IT management within the enterprise. ManageEngine has over 40,000 customers worldwide, and supports three out of every five Fortune 500 companies, according to the firm.
As such, zero-day vulnerabilities in the company's software could prove disastrous, especially when they are deemed critical.
"These flaws allow unauthenticated file upload remote code execution, unauthenticated blind SQL injection, unauthenticated local file inclusion and unauthenticated API key disclosure potentially allowing remote code execution with escalated privileges, and sensitive data disclosure resulting in full host compromise," the researchers say.
The first critical vulnerability, DDI-VRT-2018-10, is described as an "Unauthenticated File Upload Remote Code Execution via /agentUpload." Impacting EventLog Analyzer 11.8 and Logs360 5.3, the critical issue allows threat actors to access the com.adventnet.sa.agent.UploadHandlerServlet class via POST requests through a crafted .zip file.
If exploited, attackers can perform remote execution attacks "with the same privileges as the user that started the Eventlog."
The second bug, DDI-VRT-2018-11, is an "Unauthenticated Blind SQL Injection via /servlet/aam_servercmd" validation problem which impacts the Applications Manager version 13 in ManageEngine products.
According to the team, the com.adventnet.appmanager.servlets.comm.AAMRequestProcessor servlet can be accessed via a GET or POST request to /servlet/aam_servercmd without authentication. If exploited, the Applications Manager application can be fully compromised, leading to the execution of arbitrary code as SYSTEM when running on Windows.
The third vulnerability, DDI-VRT-2018-12, is described as "Multiple Unauthenticated Blind SQL Injections via /servlet/SyncEventServlet."
Another security flaw which impacts Applications Manager 13, the SyncEventServlet class can be accessed by either a GET or POST request to /servlet/SyncEventServlet, and if the program is running as an admin server with the "operation" request parameter set to "checkEventSynch," then the parameter can be used for SQL queries without sanitation checks.
If exploited, the bug also results in the execution of arbitrary code as SYSTEM when running on Windows.
The fourth security flaw, DDI-VRT-2018-13, which allows for "Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet," is another bug in Applications Manager 13. No authentication is required to access the FailOverHelperServlet class via POST request, leading to information disclosure.
The fifth bug, DDI-VRT-2018-14, is described by Digital Defense as an "Unauthenticated Blind SQL Injection via /servlet/MenuHandlerServlet."
The flaw, present in Applications Manager 13, allows access to the MenuHandlerServlet servlet via a GET or POST request without authentication. If exploited, this can result in the execution of arbitrary code as SYSTEM when running on Windows.
The final vulnerability, DDI-VRT-2018-15, is an "Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet."
"A GET request to /servlet/OPMRequestHandlerServlet where the "OPERATION_TYPE" request parameter is set to "APM_API_KEY_REQUEST" and the "USERNAME" request parameter is set to any valid user will return that user's API key," the researchers say. "Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it."
If exploited, the Applications Manager application can be fully compromised, leading to the execution of arbitrary code as SYSTEM when running on Windows.
See also: The Dark Web: How much is your bank account worth?
Digital Defense commended ManageEngine for its "prompt response to the identified flaws and their engineering team's work with VRT to provide fixes for these security issues."
Patches have been deployed to resolve the critical vulnerabilities and can be downloaded from the vendor's website.