High-impact bug could allow unauthenticated attacker to execute arbitrary code

Laptop in an office

Zoho Corporation has issued a security update for ManageEngine Desktop Central following the disclosure of a critical remote code execution (RCE) vulnerability in the endpoint management solution.

In a post addressing the flaw, the company has urged system administrators to update to the latest build – 10.0.479 – which it released over the weekend (March 7).

The RCE bug (CVE-2020-10189), which has a ‘critical’ CVSS score of 9.8, could give remote, unauthenticated attackers the ability to execute arbitrary code on affected ManageEngine installations.

“The specific flaw exists within the FileStorage class,” according to an advisory on Source Incite, whose owner, security researcher Steven Seeley, discovered the bug.

“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.”

ManageEngine has emphasized that the flaw will not impact Secure Gateway Server.

What is ManageEngine Desktop Central?

ManageEngine Desktop Central helps organizations – including managed service providers (MSPs) ¬– to centrally manage and implement software updates on servers, laptops, smartphones, and tablets.

ManageEngine, a brand owned by Indian software giant Zoho Corporation, has claimed that Desktop Central is used by more than 12,000 organizations.

Steven Seeley publicly disclosed the security bug, along with a proof of concept, on March 5. The vulnerability was apparently discovered on December 12.

Sharing his discovery on Twitter, Seeley said: “Since [Zoho] typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone.”

Zoho CEO Sridhar Vembu tweeted back: “I assure you we take every security report seriously. Our security team reports to me directly and has a top priority.”

Several infosec professionals weighed in to defend Seeley's comments, although CERT/CC vulnerability analyst Will Dormann said CERT/CC had found Zoho to be “quite responsive” and would have willingly overseen a “coordinated disclosure”.

ManageEngine has also provided steps for manually fixing the flaw for anyone who encounters problems when applying the latest update.

It also said it previously issued a short-term fix in build 10.0.474 on January 20.

"Security advisories were sent by email to all users and sysadmins,” Mathivanan Venkatachalam, vice president of ManageEngine, told The Daily Swig.

“We also posted information about the bug on our various technical forums and educated customers on upgrading to the latest version. This apart, we ensured there were in-product notifications alerting users if they are due to upgrade to the latest version."

RELATED Cisco fixes Webex video conferencing RCE vulnerability