In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.

As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed ­— it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.

The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.

Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.

A Zero Day Vulnerability Exploitable Remotely Without Authentication

In May 2021, X-Force Red was hired to perform a penetration test against the ManageEngine ServiceDesk application for one of our customers. Our objective was to discover if the application had vulnerabilities that could be exploited by a remote attacker to affect either the confidentiality, integrity or availability of the data stored in the application. The ManageEngine ServiceDesk application was deployed in the client’s environment with its management interface accessible through the internet. The deployment required us to spend more time focusing on the parts of the application that are accessible without authentication and the authentication and authorization modules the application uses to protect the authenticated part of the application.

To gain in-depth visibility of the application, X-Force Red deployed a replica of the client’s application and environment in one of our global X-Force Red Labs, which provide our testing team a secure space to test applications, hardware and devices. We were able to inspect the authentication and authorization modules and discovered a logic vulnerability that could be exploited to give an unauthenticated attacker access to a subset of the application REST-APIs.

The REST APIs are responsible for retrieving detailed ticket information that exists on the application. The information includes the ticket description, the ticket creator’s user information and the ticket status history. By exploiting the logic vulnerability, an attacker could access sensitive data through the internet, including missing patches, information about an organization’s internal network structure and other security weaknesses.

Businesses Should Prioritize Patching and Assess for Compromise

With this type of data at hand, attackers would have insight into various potential attack vectors that they could use to execute attacks on ManageEngine’s customers. Mass exploitation of this vulnerability could lead to the type of widespread impact we’ve grown accustomed to seeing from supply chain attacks, due to the widespread use of this product and the nature of the vulnerability (it can be exploited remotely without authentication).

Establishing a common framework for software verification and vulnerability management will be critical to strengthening software supply chains and enhancing enterprises’ cybersecurity baseline. The government and industry together need to act together in encouraging this.

Some essential best practices organizations should apply include:

  • Patch Now — X-Force Red reported our finding to ManageEngine, which subsequently released a newly patched version 11302 in July 2021 and assigned the vulnerability the CVE-2021-37415. If you have ManageEngine ServiceDesk deployed in your environment with a version prior to 11302, you are at risk of an attacker accessing your service disk tickets’ details. We recommend updating your ManageEngine ServiceDesk application to at least 11302 to mitigate this vulnerability.
  • Put in Place a Patch Management Policy — To avoid these types of vulnerabilities from surfacing in your environment, we recommend organizations instate a patch management policy to ensure regular installation of the latest software patches.
  • Hire a Hacker — Businesses using ManageEngine’s HelpDesk application should assess their environment for potential suspicious activity and ensure they have not been compromised by CVE-2021-37415. By hiring a hacker or adopting a continuous penetration testing program, businesses can promptly discover and remediate vulnerabilities, reducing potential risks to their environments.

Learn more about X-Force Red’s penetration testing services here.

More from Offensive Security

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

When the absence of noise becomes signal: Defensive considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Containers, Security, and Risks within Containerized Environments

4 min read - Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

How to Keep Your Secrets Safe: A Password Primer

5 min read - There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…