In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.

As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed ­— it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.

The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.

Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.

A Zero Day Vulnerability Exploitable Remotely Without Authentication

In May 2021, X-Force Red was hired to perform a penetration test against the ManageEngine ServiceDesk application for one of our customers. Our objective was to discover if the application had vulnerabilities that could be exploited by a remote attacker to affect either the confidentiality, integrity or availability of the data stored in the application. The ManageEngine ServiceDesk application was deployed in the client’s environment with its management interface accessible through the internet. The deployment required us to spend more time focusing on the parts of the application that are accessible without authentication and the authentication and authorization modules the application uses to protect the authenticated part of the application.

To gain in-depth visibility of the application, X-Force Red deployed a replica of the client’s application and environment in one of our global X-Force Red Labs, which provide our testing team a secure space to test applications, hardware and devices. We were able to inspect the authentication and authorization modules and discovered a logic vulnerability that could be exploited to give an unauthenticated attacker access to a subset of the application REST-APIs.

The REST APIs are responsible for retrieving detailed ticket information that exists on the application. The information includes the ticket description, the ticket creator’s user information and the ticket status history. By exploiting the logic vulnerability, an attacker could access sensitive data through the internet, including missing patches, information about an organization’s internal network structure and other security weaknesses.

Businesses Should Prioritize Patching and Assess for Compromise

With this type of data at hand, attackers would have insight into various potential attack vectors that they could use to execute attacks on ManageEngine’s customers. Mass exploitation of this vulnerability could lead to the type of widespread impact we’ve grown accustomed to seeing from supply chain attacks, due to the widespread use of this product and the nature of the vulnerability (it can be exploited remotely without authentication).

Establishing a common framework for software verification and vulnerability management will be critical to strengthening software supply chains and enhancing enterprises’ cybersecurity baseline. The government and industry together need to act together in encouraging this.

Some essential best practices organizations should apply include: 

  • Patch Now — X-Force Red reported our finding to ManageEngine, which subsequently released a newly patched version 11302 in July 2021 and assigned the vulnerability the CVE-2021-37415. If you have ManageEngine ServiceDesk deployed in your environment with a version prior to 11302, you are at risk of an attacker accessing your service disk tickets’ details. We recommend updating your ManageEngine ServiceDesk application to at least 11302 to mitigate this vulnerability.
  • Put in Place a Patch Management Policy — To avoid these types of vulnerabilities from surfacing in your environment, we recommend organizations instate a patch management policy to ensure regular installation of the latest software patches.
  • Hire a Hacker — Businesses using ManageEngine’s HelpDesk application should assess their environment for potential suspicious activity and ensure they have not been compromised by CVE-2021-37415. By hiring a hacker or adopting a continuous penetration testing program, businesses can promptly discover and remediate vulnerabilities, reducing potential risks to their environments.

Learn more about X-Force Red’s penetration testing services here.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…