In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.

As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed ­— it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.

The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.

Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.

A Zero Day Vulnerability Exploitable Remotely Without Authentication

In May 2021, X-Force Red was hired to perform a penetration test against the ManageEngine ServiceDesk application for one of our customers. Our objective was to discover if the application had vulnerabilities that could be exploited by a remote attacker to affect either the confidentiality, integrity or availability of the data stored in the application. The ManageEngine ServiceDesk application was deployed in the client’s environment with its management interface accessible through the internet. The deployment required us to spend more time focusing on the parts of the application that are accessible without authentication and the authentication and authorization modules the application uses to protect the authenticated part of the application.

To gain in-depth visibility of the application, X-Force Red deployed a replica of the client’s application and environment in one of our global X-Force Red Labs, which provide our testing team a secure space to test applications, hardware and devices. We were able to inspect the authentication and authorization modules and discovered a logic vulnerability that could be exploited to give an unauthenticated attacker access to a subset of the application REST-APIs.

The REST APIs are responsible for retrieving detailed ticket information that exists on the application. The information includes the ticket description, the ticket creator’s user information and the ticket status history. By exploiting the logic vulnerability, an attacker could access sensitive data through the internet, including missing patches, information about an organization’s internal network structure and other security weaknesses.

Businesses Should Prioritize Patching and Assess for Compromise

With this type of data at hand, attackers would have insight into various potential attack vectors that they could use to execute attacks on ManageEngine’s customers. Mass exploitation of this vulnerability could lead to the type of widespread impact we’ve grown accustomed to seeing from supply chain attacks, due to the widespread use of this product and the nature of the vulnerability (it can be exploited remotely without authentication).

Establishing a common framework for software verification and vulnerability management will be critical to strengthening software supply chains and enhancing enterprises’ cybersecurity baseline. The government and industry together need to act together in encouraging this.

Some essential best practices organizations should apply include:

  • Patch Now — X-Force Red reported our finding to ManageEngine, which subsequently released a newly patched version 11302 in July 2021 and assigned the vulnerability the CVE-2021-37415. If you have ManageEngine ServiceDesk deployed in your environment with a version prior to 11302, you are at risk of an attacker accessing your service disk tickets’ details. We recommend updating your ManageEngine ServiceDesk application to at least 11302 to mitigate this vulnerability.
  • Put in Place a Patch Management Policy — To avoid these types of vulnerabilities from surfacing in your environment, we recommend organizations instate a patch management policy to ensure regular installation of the latest software patches.
  • Hire a Hacker — Businesses using ManageEngine’s HelpDesk application should assess their environment for potential suspicious activity and ensure they have not been compromised by CVE-2021-37415. By hiring a hacker or adopting a continuous penetration testing program, businesses can promptly discover and remediate vulnerabilities, reducing potential risks to their environments.

Learn more about X-Force Red’s penetration testing services here.

More from Offensive Security

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

AI vs. human deceit: Unravelling the new age of phishing tactics

7 min read - Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential misuse by attackers is largely unknown. To better understand how attackers can capitalize on generative AI, we conducted a research project that sheds light on…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today