Critical vulnerability in Zoho ManageEngine OpManager
Zoho has released updates that close a critical and additional vulnerabilities in ManageEngine OpManager. Attackers could gain unauthorized access.
The Zoho ManageEngine OpManager network monitoring software has vulnerabilities that attackers could use to gain unauthorized access or inject code. The manufacturer’s developers have provided bug-fixed software that closes the leaks.
Access for everyone
In the monitoring software, an inadequate mechanism for handling requests results in unauthenticated users being able to gain access to a user API key. This would have allowed attackers to obtain valid user API keys without authentication and access the external APIs (CVE-2022-36923, CVSS pending, risk “critical“).
According to Zoho’s security advisory, these are ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer such as OpUtils affected. The updated versions can be found in the message.
Another vulnerability was that any logged-in user could make changes to the database and thereby inject and execute arbitrary code (CVE-2022-37024, CVSS pending, risk “high“). In the security notification, Zoho explains which version for which software branch closes the gap. Zoho ManageEngine is affected OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer and OpUtils.
Administrators should apply the available updates quickly to avoid becoming a victim of attacks. Vulnerabilities in Zoho software are very popular with cybercriminals and are often attacked quickly after they are discovered.
