Serious two-year old bug bites ManageEngine

By

Unauthenticated attackers can run arbitrary code remotely.

A security researcher has discovered serious vulnerabilities in ManageEngine's Password Manager Pro, PAM360 and Access Manager Plus, which could be exploited to run malicious code remotely without authentication.

Serious two-year old bug bites ManageEngine

Alvaro Muñoz, who works as a security researcher at open source code repository Github, found that the ManageEngine components were vulnerable to a 2020 bug, which allows for unsafe deserialisation of XMLRPC arguments in the Apache OfBiz enterprise resource planning system.

The Open Web Application Security Project (OWASP) explains deserialisation as "taking data structured from some format, and rebuilding it into an object". 

Deserialisation has been the cause of several serious vulnerabilities recently, such as the Log4J logging bug.

Muñoz has published proof-of-concept code for the vulnerability, using the ysoserial tool to generate payloads that exploit unsafe Java object deseralisation.

ManageEngine is enterprise management software that's widely used in almost 200 countries, with nearly 280,000 installations.

The bug does not appear to have been exploited in the wild, and ManageEngine patched the vulnerability in June this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?