A critical vulnerability, identified as CVE-2022-47966, has been discovered in multiple on-premise Zoho ManageEngine products, including ServiceDesk Plus up to version 14003. This vulnerability, if exploited, can allow an attacker to execute arbitrary code remotely due to the deprecated Apache xmlsec (aka XML Security for Java) 1.4.1 being used in these applications. The xmlsec XSLT features make the application responsible for security protections that the affected ManageEngine applications did not provide, which makes this vulnerability particularly concerning. In this post, we will dive into the details of the vulnerability, provide code snippets, and share links to the original references for further reading.

Exploit Details

The CVE-2022-47966 vulnerability exists because the affected Zoho ManageEngine applications use Apache xmlsec 1.4.1, which by design requires the applications to provide specific security protections. These protections were not implemented by the affected ManageEngine applications. As a result, attackers could exploit this vulnerability to execute arbitrary code on the targeted system. One notable aspect of this vulnerability is that it affects the on-premise version of Zoho ManageEngine ServiceDesk Plus, which is widely used for IT service management and has a large installed base.

Code Snippet

The vulnerability is related to the use of the xmlsec XSLT features. Here's an example of vulnerable code using Apache xmlsec 1.4.1:

import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.XMLUtils;

public class VulnerableXmlSec {
    public static void main(String[] args) {
        XMLUtils.debugGetElementById(...)
        Transforms transforms = new Transforms();
        ... // Code for performing the required XML operations
    }
}

In the above code snippet, the XMLUtils.debugGetElementById() and Transforms classes from the deprecated Apache xmlsec 1.4.1 library are being used, which contribute to the vulnerability.

Mitigation

The recommended mitigation for this vulnerability is to update Zoho ManageEngine on-premise products to the latest version, which includes necessary security protections. Additionally, it is advised to switch to updated versions of the Apache xmlsec library or to use alternative libraries that provide the same functionality but are more secure.

For further information on the CVE-2022-47966 vulnerability and additional details, consider reading the original references and advisories:

- Zoho ManageEngine ServiceDesk Plus Advisory: https://www.manageengine.com/products/service-desk/readme.html?build=14003
- Apache XML Security for Java (xmlsec): https://xml.apache.org/security/index.html
- CVE-2022-47966 Vulnerability Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47966

Conclusion

The CVE-2022-47966 remote code execution vulnerability in multiple Zoho ManageEngine on-premise products highlights the importance of keeping applications and libraries up-to-date with the latest security fixes. Organizations utilizing affected ManageEngine products should prioritize updating their software to mitigate the risks associated with this critical vulnerability.

Timeline

Published on: 01/18/2023 18:15:00 UTC
Last modified on: 02/09/2023 19:15:00 UTC