CVE-2022–35405: Critical ManageEngine RCE
Written by: anshul vyas
Introduction
An FCEB agency was instructed by the Cybersecurity and Infrastructure Security Agency (CISA) to fix a vulnerability affecting Zoho ManageEngine products by mid-October 2022. There is a critical Java deserialization issue indexed as CVE-2022–35405, which is being actively citing evidence of exploitation in the wild as of September 22, 2022. In late Summer 2022, Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus solutions were affected by this flaw, which was written up in the same year.
According to Greynoise, no exploitation attempts have been observed in the wild, but the details of in-the-wild exploitation are unavailable.
Detection
By leveraging the newly released detection content pieces enhanced with relevant contextual information, available via Search Engines, organizations can effectively defend against potential cyber-attacks exploiting the critical ManageEngine RCE flaw:
Cyberattacks are expected to surpass previous records in 2022. Considering the current avalanche of critical vulnerabilities affecting popular software products, employing an effective detection method is crucial to detecting continuously arising exploitation attempts. Enhanced cyber defense requires curated detection content and cutting-edge capabilities to keep attackers at bay.
Description
Password Manager Pro and PAM360 installations with prior authentication as well as Access Manager Plus installations with prior authentication are vulnerable to CVE-2022–35405, which can lead to arbitrary code execution. Versions 12100 and lower, PAM360 versions 5500 and lower, and Access Manager Plus versions 4302 and lower are affected. According to the CVSS rating system, CVE-2022–35405 has a severity rating of 9.8 out of 10 and was patched by Zoho on June 24, 2022 as part of updated software. As of June 24, 2022, the India-based enterprise solutions company reported that they had addressed the issue by removing vulnerable components that could be used for remote code execution.
In addition, Zoho has warned that a proof-of-concept (PoC) exploit is available for the vulnerability, so customers should install upgrades as soon as possible for PAM360, Access Manager Plus and Password Manager Pro.
Prevention
There is no authentication requirement for attackers or user interaction necessary to exploit this vulnerability, depending on the targeted application. During the specified timeframes, all US civilian executive branch agencies must remediate vulnerabilities in the KEV catalog in accordance with Binding Operational Directive (BOD) 22–01.
To prevent compromised organizations from being compromised by known threat actors, CISA strongly recommends reviewing and monitoring the KEV catalog and prioritizing remediation of the vulnerabilities listed. A vulnerability in ManageEngine applications is often exploited by attackers. Enterprise administrators should update their applications if they haven’t already.
In addition to disconnecting and isolating the compromised machine and sending an application log zip file to ManageEngine’s support group, customers are advised to isolate and disconnect the compromised computer as soon as possible.
Conclusion
CISA has added one more security vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, CVE-2022–35405, which is actively exploited. An exploit that succeeds can allow adversaries to execute arbitrary code on compromised devices. There has been no time to delay fixing this flaw if your organization has been affected by it — it is better late than never now. Patches for this flaw have been available since June.
