In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.
As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed — it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.
The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.
Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.
A Zero Day Vulnerability Exploitable Remotely Without Authentication
In May 2021, X-Force Red was hired to perform a penetration test against the ManageEngine ServiceDesk application for one of our customers. Our objective was to discover if the application had vulnerabilities that could be exploited by a remote attacker to affect either the confidentiality, integrity or availability of the data stored in the application. The ManageEngine ServiceDesk application was deployed in the client’s environment with its management interface accessible through the internet. The deployment required us to spend more time focusing on the parts of the application that are accessible without authentication and the authentication and authorization modules the application uses to protect the authenticated part of the application.
To gain in-depth visibility of the application, X-Force Red deployed a replica of the client’s application and environment in one of our global X-Force Red Labs, which provide our testing team a secure space to test applications, hardware and devices. We were able to inspect the authentication and authorization modules and discovered a logic vulnerability that could be exploited to give an unauthenticated attacker access to a subset of the application REST-APIs.
The REST APIs are responsible for retrieving detailed ticket information that exists on the application. The information includes the ticket description, the ticket creator’s user information and the ticket status history. By exploiting the logic vulnerability, an attacker could access sensitive data through the internet, including missing patches, information about an organization’s internal network structure and other security weaknesses.
Businesses Should Prioritize Patching and Assess for Compromise
With this type of data at hand, attackers would have insight into various potential attack vectors that they could use to execute attacks on ManageEngine’s customers. Mass exploitation of this vulnerability could lead to the type of widespread impact we’ve grown accustomed to seeing from supply chain attacks, due to the widespread use of this product and the nature of the vulnerability (it can be exploited remotely without authentication).
Establishing a common framework for software verification and vulnerability management will be critical to strengthening software supply chains and enhancing enterprises’ cybersecurity baseline. The government and industry together need to act together in encouraging this.
Some essential best practices organizations should apply include:
- Patch Now — X-Force Red reported our finding to ManageEngine, which subsequently released a newly patched version 11302 in July 2021 and assigned the vulnerability the CVE-2021-37415. If you have ManageEngine ServiceDesk deployed in your environment with a version prior to 11302, you are at risk of an attacker accessing your service disk tickets’ details. We recommend updating your ManageEngine ServiceDesk application to at least 11302 to mitigate this vulnerability.
- Put in Place a Patch Management Policy — To avoid these types of vulnerabilities from surfacing in your environment, we recommend organizations instate a patch management policy to ensure regular installation of the latest software patches.
- Hire a Hacker — Businesses using ManageEngine’s HelpDesk application should assess their environment for potential suspicious activity and ensure they have not been compromised by CVE-2021-37415. By hiring a hacker or adopting a continuous penetration testing program, businesses can promptly discover and remediate vulnerabilities, reducing potential risks to their environments.
Learn more about X-Force Red’s penetration testing services here.
Penetration Testing Consultant, X-Force Red, IBM