Heads up, Zoho customers! A zero-day vulnerability exists in Zoho platform that can pose a serious security threat. The disgruntled researcher dropped the bug publicly on Twitter, a patch isn’t available yet.
Zoho Zero-Day Disclosed On Twitter
Reportedly, a security researcher Steven Seeley dropped a Zoho zero-day vulnerability on Twitter. The bug exists in Zoho’s ManageEngine Desktop Central. Exploiting the bug allows a remote attacker to execute arbitrary code.
The researcher disclosed the bug publicly since Zoho did not heed their bug reports.
Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!
Advisory: https://t.co/U9LZPp4l5o
Exploit: https://t.co/LtR75bhooy— ϻг_ϻε (@steventseeley) March 5, 2020
Elaborating on the vulnerability in a separate advisory, the researcher stated that exploiting the flaw requires no authentication. Whereas, regarding how the flaw affected the system, the advisory reads,
The specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
The advisory has deemed the vulnerability as critical with a CVSS score of 9.8. The researcher also shared the PoC exploit for the flaw.
For now, the vulnerability has also received a CVE ID, CVE-2020-10189.
Patch Rolling Out Soon
Since the researcher disclosed the vulnerability publicly instead of following a responsible disclosure, no patch is currently available. Hence, at present, the bug poses a threat to all the users.
Nonetheless, Zoho’s Twitter team has assured patching the bug shortly.
We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG
— Zoho (@zoho) March 6, 2020
The ManageEngine Desktop Central has also officially acknowledged the existence of the bug in an advisory. They confirm that the flaw affects Desktop Central build 10.0.473 and earlier. While they are working on the patch, they have advised mitigation steps for the users.
So, until a fix arrives, everyone must remain very careful considering the risk of abusing the publicly disclosed exploit.
Let us know your thoughts in the comments.