CVE-2023-29505: Cross-site WebSocket Hijacking Vulnerability Found in Zoho ManageEngine Network Configuration Manager 12.6.165 - Exploit Details and Mitigation Steps

Recently, an issue was discovered in Zoho ManageEngine Network Configuration Manager (version 12.6.165) that allows Cross-site WebSocket hijacking. This vulnerability has been assigned the identifier CVE-2023-29505. In this post, we will dive into the exploit details, share code snippets, and provide you with links to original references, as well as steps to mitigate the vulnerability.

Vulnerability: Cross-site WebSocket Hijacking

Cross-site WebSocket hijacking, also known as Cross-Origin WebSocket Hijacking (COWH), occurs when an unauthorized attacker is able to create a WebSocket connection to a target application in the context of a vulnerable domain. This may allow the attacker to bypass security restrictions and gain access to sensitive data or perform actions on behalf of a legitimate user.

CVE-2023-29505 in Zoho ManageEngine Network Configuration Manager 12.6.165

Zoho ManageEngine Network Configuration Manager (NCM) is a popular tool used by IT administrators to manage network devices efficiently. The software is especially useful in managing configurations of devices like switches, routers, and firewalls.

In version 12.6.165, a WebSocket endpoint vulnerability was discovered, which allows Cross-site WebSocket hijacking. An attacker can exploit this vulnerability to make WebSocket requests to an NCM instance on behalf of a targeted user.

Exploit Details

The vulnerability can be exploited using malicious code embedded in a website or an email link, which will execute in the victim's browser. When a user visits a website hosting malicious code or clicks on an email link, the browser is tricked into exchanging WebSocket handshake requests with the vulnerable NCM instance.

Here's an example of a code snippet that demonstrates the exploitation of this vulnerability

<!DOCTYPE html>
<html>
<head>
  <title>WebSocket Hijacking Demo</title>
</head>
<body>
  <script>
    var socket = new WebSocket("wss://vulnerable-domain.example.com/ws-endpoint");
    
    socket.onopen = function() {
      console.log("WebSocket connection established");
      socket.send("malicious_payload");
    };

    socket.onmessage = function(event) {
      console.log("Received data from the WebSocket connection:", event.data);
    };

    socket.onerror = function(error) {
      console.error("WebSocket error:", error);
    };
  </script>
</body>
</html>

This malicious code snippet first establishes a WebSocket connection with the vulnerable NCM instance and then sends a crafted payload to the server. The browser of the victim user is not aware of the malicious nature of the WebSocket request and treats it as a legitimate request, granting the attacker access to sensitive information or control over the user's actions.

Original References

For more information on this vulnerability and its exploitation, refer to the following original sources:

- CVE-2023-29505 - Official CVE entry
- Zoho ManageEngine Network Configuration Manager - Official Website

To mitigate the impact of this vulnerability, you should

1. Update to the latest version of Zoho ManageEngine Network Configuration Manager. The vulnerability has been patched in version 12.6.166 and later. Download the latest version here: Zoho ManageEngine NCM Download page
2. Implement proper Content Security Policy (CSP) headers that restrict the domains from which WebSocket connections can be established, thus blocking requests from the attacker's domain.

Timeline

Published on: 08/04/2023 15:15:00 UTC
Last modified on: 08/10/2023 21:15:00 UTC