Proof-of-concept exploit code will be released later this week for a critical vulnerability that allows remote code execution (RCE) without authentication in several VMware products.
Tracked as CVE-2022-47966, this pre-approved RCE security flaw is due to the use of an outdated and vulnerable third-party dependency, Apache Santuario.
A successful exploit enables unauthenticated threat actors to execute arbitrary code on ManageEngine servers if SAML-based single sign-on (SSO) is enabled or has been enabled at least once prior to the attack.
The list of vulnerable software includes almost all ManageEngine products. Fortunately, though, Zoho has already waved them off, starting October 27, 2022, by updating the third-party module to a more recent version.
Inbound “spray and pray” attacks
Security researchers with Horizon3’s Attack Team on Friday warned administrators that they have created a proof-of-concept (PoC) exploit for CVE-2022-47966.
“The vulnerability is easy to exploit and is a good candidate for attackers to ‘spray and pray’ on the Internet. This vulnerability allows remote code execution as NT AUTHORITYSYSTEM, essentially giving an attacker complete control over the system,” said Horizon3 vulnerability researcher. James Horseman said:
“If a user finds that they have been compromised, further investigation is required to determine the damage done by the attacker. Once an attacker has SYSTEM-level access to an endpoint, attackers will likely begin leaking credentials via LSASS or use existing public tools to gain access. saved app credentials to perform side swipes.”
Although they have yet to release technical details and only common indicators of compromise (IOCs) that defenders can use to determine if their systems are compromised, Horizon3 plans to release their PoC exploit later this week.
Horizon3 researchers also shared the following screenshot showing their exploit against a vulnerable ManageEngine ServiceDesk Plus instance.
10% of all exposed cases are vulnerable to attack
In an investigation of just two of ManageEngine’s vulnerable products, ServiceDesk Plus and Endpoint Central, Horseman found thousands of unpatched servers brought online by Shodan.
Hundreds of them also had SAML enabled, with about 10% of all exposed ManageEngine products vulnerable to the CVE-2022-47966 attack.
Although there are no public reports of attacks exploiting this vulnerability by cybersecurity firm GreyNoise, and no attempts to exploit it in the wild, motivated attackers will likely move quickly to create their own RCE exploits once Horizon3 publishes their PoC code, even if they release a minimal version;
Horizon3 previously released exploit code:
- CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that could allow attackers to compromise Active Directory accounts.
- CVE-2022-1388, a critical bug that allows remote code execution on F5 BIG-IP network devices,
- and CVE-2022-22972, a critical authentication bypass vulnerability in multiple VMware products that allows threat actors to gain administrator privileges.
Zoho ManageEngine servers have come under constant attack in recent years, with nation-state hackers using tactics and tools similar to those of the China-linked APT27 hacking group, which targeted them between August and October 2021.
Desktop Central instances were also hacked in July 2020, with threat actors selling access to compromised organizations’ networks via hacking forums.
Following this and other large-scale raids, the FBI and CISA issued a joint advisory [1, 2] warning about state-sponsored attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.
