External risk intelligence

Zoho ManageEngine ADSelfService Plus Command Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-28810

A vulnerability exists in Zoho ManageEngine ADSelfService Plus that allows authenticated administrators to execute arbitrary operating system commands with SYSTEM privileges. This impacts organizations using affected versions of the software. Attackers can exploit this by leveraging default administrator passwords or b

4Halo Surface Signal

OS Command Injection

Zohocorp Manageengine Adselfservice Plus

before 6.16.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-28810

Zoho ManageEngine ADSelfService Plus is a self-service identity and password management portal designed to be accessible to end-users across an organization. These portals are commonly deployed as web-based, internet-facing services to facilitate remote password resets and account management, placing the application surface within reach of external networks.

Horizon Alert

Summary of the vulnerability and why it matters

The Zoho ManageEngine ADSelfService Plus application has a vulnerability that allows for command execution. This flaw is related to how the application handles custom scripts within its policy settings. If exploited, an attacker could potentially execute operating system commands with elevated privileges.

Vulnerable component: Policy custom script feature
Core weakness: Unsanitized input allows command injection
Main business impact: Unauthorized command execution

Attack Path

How an attacker could exploit the issue

Zoho ManageEngine ADSelfService Plus can allow attackers to execute system commands. This occurs when an administrator uses the custom script feature within the product's policy settings. Attackers can exploit this by injecting commands into the password field, which are then executed by the system.

Requires administrator access and network exposure.
Attacker inputs commands into the password field.
System executes commands, leading to unauthorized control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Zoho ManageEngine ADSelfService Plus presents a significant risk to organizations. Exploitation could allow attackers to execute arbitrary operating system commands with the highest level of privileges. The ease of exploitation, particularly if default administrator passwords are in use, combined with the potential for complete system compromise, makes this a serious concern for affected organizations. Swift action to apply necessary updates is recommended.

Attackers with administrator credentials.
Exploitable through a web interface.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this vulnerability, the organization should prioritize identifying all instances of the affected software. Following this, steps should be taken to reduce or isolate the potential exposure of these systems. Finally, the vendor-provided fix must be applied, its successful implementation verified, and ongoing monitoring established for any related security events.

Find affected ManageEngine ADSelfService Plus assets.
Reduce exposure or isolate risk.
Apply vendor fix, verify, and monitor.

Frequently asked questions

What is the software context for CVE-2022-28810, impacting Zoho ManageEngine ADSelfService Plus?

CVE-2022-28810 affects Zoho ManageEngine ADSelfService Plus, specifically versions prior to build 6122. This application is designed for self-service identity and password management, often deployed as a web-based service for remote user access. Its function makes it a potential target for attackers seeking to gain unauthorized system control.

How does the policy custom script feature in Zoho ManageEngine ADSelfService Plus enable command execution?

The vulnerability stems from the policy custom script feature within Zoho ManageEngine ADSelfService Plus. It allows a remote authenticated administrator to execute arbitrary OS commands as the SYSTEM user. This is facilitated by the unsanitized password field, which can be manipulated to inject malicious commands. This weakness is classified as CWE-78 (OS Command Injection) and CWE-798 (Use of Hard-coded Credentials, implied by default passwords).

What is the trigger path for command injection in Zoho ManageEngine ADSelfService Plus, and does it involve scope negation?

The trigger path involves a remote and partially authenticated attacker exploiting the password field within the policy custom script feature. By injecting commands into this field, the attacker can cause the system to execute them. Scope negation is not explicitly mentioned in the provided context for this specific vulnerability.

What is the relevance of CVE-2022-28810 according to the Halo Surface Signal?

According to the Halo Surface Signal, CVE-2022-28810 has a score of 4 and is labeled 'Likely' relevant. This is because Zoho ManageEngine ADSelfService Plus is typically deployed as an internet-facing, web-based service accessible to end-users for remote password resets and account management, placing its surface within reach of external networks. This makes it a prime candidate for exploitation.

What practical steps should be taken to address the Zoho ManageEngine ADSelfService Plus vulnerability?

To address this vulnerability, organizations must first identify all instances of the affected Zoho ManageEngine ADSelfService Plus software. Next, steps should be taken to reduce or isolate the potential exposure of these systems. Finally, it is crucial to apply the vendor-provided fix, verify its successful implementation, and establish ongoing monitoring for any related security events.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.