- I tested a Pixel Tablet without any Google apps, and it's more private than even my iPad
- My search for the best MacBook docking station is over. This one can power it all
- This $500 Motorola proves you don't need to spend more on flagship phones
- Finally, budget wireless earbuds that I wouldn't mind putting my AirPods away for
- I replaced my Linux system with this $200 Windows mini PC - and it left me impressed
Researchers Warn Against Zoho ManageEngine Exploit Attacks
Horizon3.ai researchers have urged Zoho ManageEngine users to patch their software against a critical security vulnerability (tracked CVE-2022-47966) after designing and releasing a proof-of-concept (PoC) exploit code.
Writing in the company’s blog last Friday, Horizon3.ai researcher and exploit developer James Horseman said the team has successfully reproduced the exploit and is now providing additional insight into the vulnerability to help users determine if they have been compromised.
Patched by Zoho between the last week of October and the first of November 2022, the bug affects multiple Zoho ManageEngine products. It can be exploited over the internet to launch remote code execution (RCE) exploits if security assertion markup language (SAML) single sign-on (SSO) is enabled or has been enabled before.
“Once an attacker has SYSTEM-level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” Horseman explained.
“Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled.”
The company added that organizations that use SAML, generally speaking, tend to be larger and more mature and are likely to be higher-value targets for attackers.
“ManageEngine products have been highly targeted in the past several years by threat actors to gain initial access.”
Horizon3.ai has also released Indicators of Compromise (IOCs) associated with the flaw and is urging customers to update their instances before threat actors exploit it.
“We encourage all ManageEngine users to heed the ManageEngine advisory and patch immediately,” Horseman warned.
“We want to highlight that in some cases, the vulnerability is exploitable even if SAML is not currently enabled but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product.”
More information about SAML and identity management is available in this analysis by JumpCloud CTO Greg Keller.
