In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.

As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed ­— it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.

The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.

Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.

A Zero Day Vulnerability Exploitable Remotely Without Authentication

In May 2021, X-Force Red was hired to perform a penetration test against the ManageEngine ServiceDesk application for one of our customers. Our objective was to discover if the application had vulnerabilities that could be exploited by a remote attacker to affect either the confidentiality, integrity or availability of the data stored in the application. The ManageEngine ServiceDesk application was deployed in the client’s environment with its management interface accessible through the internet. The deployment required us to spend more time focusing on the parts of the application that are accessible without authentication and the authentication and authorization modules the application uses to protect the authenticated part of the application.

To gain in-depth visibility of the application, X-Force Red deployed a replica of the client’s application and environment in one of our global X-Force Red Labs, which provide our testing team a secure space to test applications, hardware and devices. We were able to inspect the authentication and authorization modules and discovered a logic vulnerability that could be exploited to give an unauthenticated attacker access to a subset of the application REST-APIs.

The REST APIs are responsible for retrieving detailed ticket information that exists on the application. The information includes the ticket description, the ticket creator’s user information and the ticket status history. By exploiting the logic vulnerability, an attacker could access sensitive data through the internet, including missing patches, information about an organization’s internal network structure and other security weaknesses.

Businesses Should Prioritize Patching and Assess for Compromise

With this type of data at hand, attackers would have insight into various potential attack vectors that they could use to execute attacks on ManageEngine’s customers. Mass exploitation of this vulnerability could lead to the type of widespread impact we’ve grown accustomed to seeing from supply chain attacks, due to the widespread use of this product and the nature of the vulnerability (it can be exploited remotely without authentication).

Establishing a common framework for software verification and vulnerability management will be critical to strengthening software supply chains and enhancing enterprises’ cybersecurity baseline. The government and industry together need to act together in encouraging this.

Some essential best practices organizations should apply include:

  • Patch Now — X-Force Red reported our finding to ManageEngine, which subsequently released a newly patched version 11302 in July 2021 and assigned the vulnerability the CVE-2021-37415. If you have ManageEngine ServiceDesk deployed in your environment with a version prior to 11302, you are at risk of an attacker accessing your service disk tickets’ details. We recommend updating your ManageEngine ServiceDesk application to at least 11302 to mitigate this vulnerability.
  • Put in Place a Patch Management Policy — To avoid these types of vulnerabilities from surfacing in your environment, we recommend organizations instate a patch management policy to ensure regular installation of the latest software patches.
  • Hire a Hacker — Businesses using ManageEngine’s HelpDesk application should assess their environment for potential suspicious activity and ensure they have not been compromised by CVE-2021-37415. By hiring a hacker or adopting a continuous penetration testing program, businesses can promptly discover and remediate vulnerabilities, reducing potential risks to their environments.

Learn more about X-Force Red’s penetration testing services here.

More from Offensive Security

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

IoT exploitation during security engagements

9 min read - During two separate security engagements, I discovered command injection vulnerabilities in two embedded devices. Discovering each vulnerability had its unique challenges. One is a classic command injection vulnerability while the other details a "blind" command injection vulnerability, which provides an interesting contrast of two vulnerability types you may commonly see in IoT systems. In addition to this technical analysis, the details surrounding the vulnerability research process, how I exploited these devices to accomplish the objective at hand and the benefits…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today