A critical Zoho ManageEngine Remote Code Execution (RCE) flaw is being actively exploited according to The US Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability allows remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus without the need of authentication. Barracuda MSP recommends updating Password Manager Pro, PAM360 and Access Manager Plus immediately to patch this vulnerability.
What is the threat?
Remote Code Execution is a method to inject and execute code in a targeted machine or system in local or wide area networks. A successful code execution allows the attacker to gain access to web applications/servers and to compromise and destroy data, install ransomware, or completely take over an entire enterprise network. Multiple Zoho ManageEngine products are impacted including Zoho ManageEngine PAM360, Password Manager Pro, Access Manager Pro.
Why is it noteworthy?
There is a proof-of-concept exploit for this vulnerability. It is strongly recommended for customers to upgrade their instances of the Zoho ManageEngine products. The vulnerability allows malicious attackers to easily take over a network which they have initial access to, and they can exfiltrate sensitive business data and disrupt business operations. “We’ve seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise. This vulnerability is not one to hold off patching” (Sunkavally).
What is the exposure or risk?
Any customers using Zoho ManageEngine products including Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Pro are at risk for this RCE vulnerability. An attacker with initial access to a compromised network can easily extract high-privileged credentials, move laterally, and take over the entire network. Zoho has fix the RCE vulnerability, and customers of these products must upgrade their products to patch the vulnerability.
What are the recommendations?
Barracuda MSP recommends the following actions to address this vulnerability:
- Use ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.
- Download the latest upgrade pack from the following links for the respective product:
- PAM360 – https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro – https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus – https://www.manageengine.com/privileged-session-management/upgradepack.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.darkreading.com/attacks-breaches/cisa-zoho-manageengine-rce-bug-under-active-exploit
- https://www.cisa.gov/uscert/ncas/current-activity/2022/09/23/cisa-has-added-one-known-exploited-vulnerability-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.darkreading.com/vulnerabilities-threats/manageengine-adaudit-plus-vulnerability-network-takeover-data-exfiltration
- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
If you have any questions, please contact our Security Operations Center.
*Did you know? The Cybersecurity Threat Advisory has moved to SmarterMSP.com. Subscribe to SmarterMSP.com for the latest cybersecurity insights and news and information to help you enhance your MSP business.