-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2017-16924
101 lines (56 loc) · 2.64 KB
/
CVE-2017-16924
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
CVE-2017-16924
-- Description --
Remote Information Disclosure and Escalation of Privileges in
ManageEngine Desktop Central MSP 10.0.137 allows attackers to download
unencrypted XML files containing all data for configuration policies via
a predictable /client-data/<client_id>/collections/##/usermgmt.xml
URL, as demonstrated by passwords and Wi-Fi keys.
-- Additional Information --
Remote Information Disclosure and Escalation of Privileges in
ManageEngine Desktop Central MSP 10.0.137 allows attacker to download
unencrypted XML files contain all data for configuration policies for
any client company managed by a Desktop Central MSP (Managed Service
Provider) server installation. Diverse config policy types may be
accessed, including ones containing sensitive information, keys and
passwords such as WIFI keys, server firewall policies, custom scripts,
Outlook passwords, user and administrator username/passwords, all
stored and transmitted unencrypted as plain text or base64 encoded
clear-text.
Given that this is a server product for IT service providers which in
turn have many companies under management, there is a large potential
impact to client companies and their end users.
Vulnerable version was obtained Sept 2017 at
https://www.manageengine.com/desktop-management-msp/download.html.
Discovered and submitted vulnerability to vendor Oct 8-9th, 2017 and
confirmed by their security team as a vulnerability Oct 10th, 2017. At
that time, vendor offered a timeframe of delivering a patch within 60
days.
ManageEngine security team's internal tracking: #270269
CERT assigned VU#493595
Vendor issued public disclosure and patch on 29 Dec 2017. See vendor posting:
https://www.manageengine.com/desktop-management-msp/password-encryption-policy-violation.html
-- Vulnerability Type --
Incorrect Access Control
-- Vendor of Product --
ManageEngine
-- Affected Product Code Base --
Desktop Central MSP - 10.0.137
-- Affected Component --
Client configuration (distributed policy object files)
-- Attack Type --
Remote
-- Impact Escalation of Privileges --
true
-- Impact Information Disclosure --
true
-- Attack Vectors --
Performing an unauthenticated HTTP GET on any subdirectory under the
/client-data path. For example,
http(s)://my-medc-server.my-msp.com:8041/client-data/<client_id>/collections/<collection-id>/usermgmt.xml
where client_id and collection_id are predictable low value integers
corresponding to the guessable database ids of those objects.
-- Has vendor confirmed or acknowledged the vulnerability? --
true
-- Discoverer --
Shaun Noonan