Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Researchers to release PoC exploit for critical Zoho RCE bug, patch now

Proof-of-concept exploit code will be released later this week for a critical vulnerability allowing remote code execution (RCE) without authentication in several VMware products.

Tracked as CVE-2022-47966, this pre-auth RCE security flaw is due to using an outdated and vulnerable third-party dependency, Apache Santuario.

Successful exploitation enables unauthenticated threat actors to execute arbitrary code on ManageEngine servers if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack.The list of vulnerable software includes almost all ManageEngine products. Still, fortunately, Zoho has already patched them in waves starting on October 27, 2022, by updating the third-party module to a more recent version.

Incoming “spray and pray” attacks

On Friday, security researchers with Horizon3’s Attack Team warned admins that they created a proof-of-concept (PoC) exploit for CVE-2022-47966.

“The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet. This vulnerability allows for remote code execution as NT AUTHORITY\SYSTEM, essentially giving an attacker complete control over the system,” Horizon3 vulnerability researcher James Horseman said.

“If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done. Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement.”

Although they’re yet to release technical details and only shared indicators of compromise (IOCs) that defenders can use to determine if their systems have been compromised, Horizon3 plans to release their PoC exploit later this week.

The Horizon3 researchers have also shared the following screenshot showing their exploit in action against a vulnerable ManageEngine ServiceDesk Plus instance.

CVE-2022-47966 PoC exploit
CVE-2022-47966 PoC exploit (Horizon3)

​10% of all exposed instances vulnerable to attacks

While looking into just two of the vulnerable ManageEngine products, ServiceDesk Plus and Endpoint Central, Horseman found thousands of unpatched servers exposed online via Shodan.

Out of them, hundreds also had SAML enabled, with an estimated 10% of all exposed ManageEngine products vulnerable to CVE-2022-47966 attacks.

Even though there are no public reports of attacks leveraging this vulnerability and no attempts to exploit it in the wild per cybersecurity firm GreyNoise, motivated attackers will likely move quickly to create their own RCE exploits once Horizon3 publishes their PoC code, even if they release a minimal version.

Horizon3 previously released exploit code for:

  • CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that can let attackers compromise Active Directory accounts,
  • CVE-2022-1388, a critical bug that enables remote code execution in F5 BIG-IP networking devices,
  • and CVE-2022-22972, a critical authentication bypass vulnerability in multiple VMware products that lets threat actors gain admin privileges.

Zoho ManageEngine servers have been under constant attack in recent years, with nation-state hackers using tactics and tooling similar to those of the Chinese-linked APT27 hacking group targeting them between August and October 2021.

Desktop Central instances were also hacked in July 2020, with the threat actors selling access to breached organizations’ networks on hacking forums.

After this and other extensive attack campaigns, the FBI and CISA issued joint advisories [12] warning of state-sponsored attackers exploiting ManageEngine bugs to backdoor critical infrastructure organizations.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.bleepingcomputer.com/news/security/researchers-to-release-poc-exploit-for-critical-zoho-rce-bug-patch-now/

Advertisement. Scroll to continue reading.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the...

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO