Zoho ManageEngine Desktop Central 10 Deserialization Vulnerability May Lead to Remote Code Execution

9th March 2020 | By Mouseworld Now Correspondent |

New Delhi, 9th March, 2020: The Tenable Security Response Team (SRT) has launched a Security Advisory for a recently disclosed and patched flaw in Zoho ManageEngine Desktop Central 10. It was discovered by Steven Seeley of Source Incite, who tweeted an advisory [advisory link] for the vulnerability on March 5 including a proof-of-concept (PoC).

At the time, there was no CVE identifier associated with the flaw, nor was a patch available. Since disclosing it on Twitter, it was identified as CVE-2020-10189 and Zoho released a patch for the vulnerability in build 10.0.479 on March 6.

According to Seeley, the flaw “exists within the FileStorage class” which does not properly validate user-supplied data, resulting in the deserialization of untrusted data. An unauthenticated, remote attacker could use this vulnerability to “execute code under the context of SYSTEM.”

CVE-2020-10189 is an untrusted deserialization vulnerability in Zoho ManageEngine Desktop Central. The vulnerability stems from an improper input validation in the FileStorage class. According to Seeley, an unauthenticated, remote attacker can abuse the lack of validation in the FileStorage class to upload a malicious file containing a serialized payload onto the vulnerable Desktop Central host.

To trigger the untrusted deserialization, an attacker would then need to make a subsequent request for the file uploaded onto the vulnerable host. This would then grant the attacker arbitrary code execution with SYSTEM/root privileges. For more detail, please refer to the proof-of-concept section, which contains Seeley’s detailed breakdown of the vulnerability.

Tags: , , , , , , ,

Leave your comment

IMPORTANT! To be able to proceed, you need to solve the following simple math

What is 5 + 2 ?
Please leave these two fields as-is:

Mouseworldnow Videos
  • r chandrashekhar president nasscom
  • Anant Maheshwari, President, Microsoft India
  • Suresh_Vaswani-220 by 220

Channel News

  • Capillary Technologies Attains AWS Retail Competency Status more...
  • MG Motor Opens its first digital car-less showroom, MG Digital Studio more...
  • Globus Infocom to Participate in InfoComm India 2019 Expo more...
  • ASUS Opens New ASUS Exclusive Store in B’lore more...
  • COMPUTEX 2019 Successfully Comes to a Close at Taipei more...
dell for SMEs
Subscribe via email

Enter your email address:

What does the mouse ask?

Will the spurt in online video advertisement steal the twinkle from the TV ad platform?

View Results

Loading ... Loading ...
Newsletter Registration