Zoho ManageEngine Desktop Central RCE 0-Day Vulnerability

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

This vulnerability is a zero-day vulnerability with a public proof of concept and is actively being exploited in the wild. This vulnerability allows attackers to remotely execute arbitrary code with SYSTEM privileges on compromised ManageEngine Desktop Central instances.

Affected Software / System

ManageEngine Desktop Central

CVE (if applicable)

CVE-2020-10189

Type

Remote Code Execution

Exploit Status: Exploited but not Public

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Rating

9.8 - Critical

Impact

An attacker could gain SYSTEM root level code execution on affected ManageEngine Desktop Central instances without authentication. If the vulnerable instance is exposed on the Internet (there are currently over 2300 exposed ManageEngine systems on the Internet) this could provide attackers with an entry point to the network. Even if the instance is not exposed on the Internet, a compromised device on the same network as a vulnerable Desktop Central instance could be used to exploit the vulnerable Desktop Central instance. At that point, the vulnerability could be used to deploy malware laterally to other computers on the network. Similar tactics have been seen with victim Managed Service Providers (MSP) remote monitoring and management (RMM) tools to deploy ransomware to all of the MSP’s clients.

Mitigation

• Zoho has released Desktop Central version 10.0.479 which patches this vulnerability.

Ingalls recommends the following actions:

• To determine if your Desktop Central instance has been compromised, Zoho provides the following guidance:
  • If there is any file with these names (txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, then your installation has been compromised.
  • If there is a presence of the file in this path “C:\Users\Public\install.bat”, then your system has been compromised. (Ingalls recommends checking under other users as well).
• If any of these files (logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) is present under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, follow the below-mentioned steps to apply the fix:
  • Disconnect the machine from your network.
  • Take a copy of the scheduled backup (dbbackup) taken on or before 5th March, 2020, and move this to another machine.
  • After taking a copy of the backup, format the compromised machine.
  • Install Desktop Central EXE. (Note: The build version of the new EXE should be the same as that of your backed up build version). Visit this link to procure the EXE for your build number: http://archives.manageengine.com/desktop-central/?utm_source=rce-document
  • Restore the backup, and start the server. It is highly recommended to utilize a different hardware setup for the new installation. Backup restoration instructions can be found at this link: https://www.manageengine.com/products/desktop-central/backup_restoration_desktop_central_server_incompatible.html?utm_source=rce-document
  • Once the server is up and running, upgrade to the latest build, 10.0.479. Upgrade instructions can be found at this link: https://www.manageengine.com/products/desktop-central/service-packs.html?utm_source=rce-document
• If you spot “C:\Users\Public\install.bat” (or other users), follow the below-mentioned steps for mitigation:
  • Disconnect the machine from your network.
  • Look for any service with the name “StorSyncSvc” that has the display name “Storage Sync Service”, and disable this service immediately.
  • Add a firewall rule to block both the inbound, and outbound connections to the IP addresses, 42.98.220 and 74.82.201.8. (Ingalls also recommends blocking 66.42.107.133 and 66.98.126.203)
  • Take a copy of the scheduled backup (dbbackup) taken on or before 5th March, 2020, and move this to another machine.
  • After taking a copy of the backup, format the compromised machine.
  • Install Desktop Central EXE. (Note: The build version of the new EXE should be the same as that of your backed up build version). Visit this link to procure the EXE for your build number: http://archives.manageengine.com/desktop-central/?utm_source=rce-document
  • Restore the backup, and start the server. It is highly recommended to utilize a different hardware setup for the new installation. Backup restoration instructions can be found at this link: https://www.manageengine.com/products/desktop-central/backup_restoration_desktop_central_server_incompatible.html?utm_source=rce-document
  • Once the server is up and running, upgrade to the latest build, 10.0.479. Upgrade instructions can be found at this link: https://www.manageengine.com/products/desktop-central/service-packs.html?utm_source=rce-document