CVE CyberSecurity Database News

CVE-2023-29505 - WebSocket Hijacking in Zoho ManageEngine Network Configuration Manager 12.6.165

Poster -

In April 2023, a serious security vulnerability—CVE-2023-29505—was discovered in Zoho ManageEngine Network Configuration Manager (NCM) version 12.6.165. This flaw allows cross-site WebSocket hijacking, making it possible for attackers to exploit WebSockets to steal sensitive data or impersonate users remotely. This post will break down the vulnerability, demo how it works, and provide mitigation steps, all in simple American language.

The Problem

Modern web apps use WebSockets for real-time communication between browsers and servers. However, if WebSocket endpoints are not properly protected, attackers can "hijack" an active session. That’s exactly what happened with Zoho ManageEngine NCM.

What is Cross-site WebSocket Hijacking?

WebSocket hijacking is like stealing someone’s open phone line. If an app doesn’t verify where a WebSocket connection is coming from, any website that your browser visits (while you're logged in) can sneak messages to the server "as you".

This happens when a server trusts ANY incoming WebSocket connections, regardless of the web page initiating it.

Exploit Details

The Zoho NCM 12.6.165 WebSocket server does not properly check the Origin or Sec-WebSocket-Origin headers. So, an attacker can craft a malicious web page that a logged-in user visits, and that page opens a WebSocket connection to NCM. The attacker can then send commands, read responses, or escalate their access.

Victim logs in to Zoho NCM at their workplace.

2. Victim visits an attacker’s site (can be a phishing email, a malicious ad, or a cleverly disguised link).
3. The attacker’s site opens a WebSocket to victim’s NCM server, using the browser’s cookies/session.
4. The attacker can read/write data over this hijacked session.

Coding the Exploit

Below is a basic proof-of-concept (PoC) exploit that shows how a malicious site could do it.

// Malicious site's JavaScript
// Replace "ncmsrv.example.com:808" with the real NCM server address.
let ws = new WebSocket('ws://ncmsrv.example.com:808/ws');

ws.onopen = function() {
  // Example: Send a command to fetch sensitive info
  ws.send(JSON.stringify({
    type: "getConfig",
    id: "1",
    data: {}
  }));
};

ws.onmessage = function(evt) {
  // The attacker can now read private responses
  console.log("Sensitive data received:", evt.data);
};

ws.onerror = function(e) {
  console.log("WebSocket error:", e);
};

What’s Missing in Zoho NCM?

In secure setups, the WebSocket server should check the incoming Origin header and make sure it's coming from a trusted site (like the app’s real URL), refusing connections from others.

Zoho NCM 12.6.165 did NOT do this check—so it let anyone with network access make WebSocket connections.

Update your Zoho NCM! Zoho has patched this in newer versions—find details here

- Original Zoho Advisory
- NVD CVE Entry

2. WebSocket Origin Check: Ensure your WebSocket server code ALWAYS checks the Origin header. For example, in Python:

`

3. Browser Settings: As a user, don’t open suspicious links or ads—especially from email—or while logged into critical apps.

References

- National Vulnerability Database Entry (CVE-2023-29505)
- Zoho Advisory for WebSocket Hijacking
- WebSockets Security Best Practices (Mozilla)

Conclusion

CVE-2023-29505 was a significant security risk for any organization running Zoho ManageEngine Network Configuration Manager 12.6.165. The weak WebSocket validation enabled full session hijacking from any malicious web page, putting confidential configuration data at risk.

The fix is simple: always verify the origin of incoming WebSocket connections. If you run Zoho NCM, make sure you are using a patched version. Stay alert, and keep your software up to date!

Timeline

Published on: 08/04/2023 15:15:00 UTC
Last modified on: 08/10/2023 21:15:00 UTC