Zoho ManageEngine Desktop Central 10 Deserialization Vulnerability Could Lead to Remote Code Execution

• Zoho releases a patch for a critical remote code execution flaw in ManageEngine one day after the vulnerability was publicly disclosed

The Tenable Security Response Team (SRT) launched a Security Advisory for a recently disclosed and patched flaw in Zoho ManageEngine Desktop Central 10. It was discovered by Steven Seeley of Source Incite, who tweeted an advisory for the vulnerability on March 5 including a proof-of-concept (PoC). At the time, there was no CVE identifier associated with the flaw, nor was a patch available. Since disclosing it on Twitter, it was identified as CVE-2020-10189 and Zoho released a patch for the vulnerability in build 10.0.479 on March 6.

According to Seeley, the flaw “exists within the FileStorage class” which does not properly validate user-supplied data, resulting in the deserialization of untrusted data. An unauthenticated, remote attacker could use this vulnerability to “execute code under the context of SYSTEM.”

CVE-2020-10189 is an untrusted deserialization vulnerability in Zoho ManageEngine Desktop Central. The vulnerability stems from an improper input validation in the FileStorage class. According to Seeley, an unauthenticated, remote attacker can abuse the lack of validation in the FileStorage class to upload a malicious file containing a serialized payload onto the vulnerable Desktop Central host.

To trigger the untrusted deserialization, an attacker would then need to make a subsequent request for the file uploaded onto the vulnerable host. This would then grant the attacker arbitrary code execution with SYSTEM/root privileges. For more detail, please refer to the proof-of-concept section, which contains Seeley’s detailed breakdown of the vulnerability.

Here’s Tenable’s blog for this advisory.