• Solutions
    • Solutions


    • Scan
    • Analyze
    • Score
    • Automate
    • What is on my network?
      Quickly, comprehensively and accurately assess endpoints and servers for operating system and application vulnerabilities.
    • Which assets are at risk, and what should I do about their vulnerabilities?
      Identify which assets are at risk and receive actionable intelligence to reduce workload and increase effectiveness.
    • How do I measure my overall risk and where should I focus remediation efforts?
      Benefit from a clear, easy-to-understand metric to determine your organization’s security posture.
    • How can I integrate Frontline vulnerability findings into my security workflow?
      Easily integrate discovered, analyzed, scored, and prioritized vulnerabilities into leading security workflow management platforms and SIEMs.
    • Test
    • Educate
    • Compliance
    • How do I assess where I’m exposed from an attacker’s perspective?
      Assess your “network attack surface” and your “personnel attack surface”.
    • How do I ensure all personnel are cognizant of risky “digital behavior”?
      Increase the security IQ of employees, contractors, and patrons to effectively defend against a security breach.
    • Am I meeting requisite compliance standards?
      Leverage the expertise of one of the world’s longest tenured PCI Approved Scanning Vendors (ASV) to achieve compliance AND an optimal level of security.
  • Cloud Subscriptions
    • Frontline Cloud Subscriptions


    • Frontline Advanced™
    • Frontline Pro™
    • Frontline PCI Pro™
    • Frontline Pen Test™
    • Frontline Advanced is Digital Defense’s flagship vulnerability management offering. Powerful and effective, the service is delivered in a rich, affordable and easy to consume subscription.
    • Frontline Pro provides the same industry leading solution subscription as Frontline Advanced, but adds a Personal Security Analyst (PSA) to help lift the burden of vulnerability management.
    • Frontline Payment Card Industry-Professional (Frontline PCI-Pro) service guides businesses through the PCI Data Security Standards (DSS) requirements maze with security expertise and personalized recommendations to achieve compliance.
    • Frontline Pen Test offers a conveniently packaged sequence of periodic (and scheduled) pen tests into an annual subscription.
  • Platform
    • Platform


    • Frontline RNA™
    • Frontline VM™
    • Frontline Reconnaissance Network Appliance (RNA) is a preconfigured network based device used to perform network security assessments without requiring onsite staff.
    • Frontline Vulnerability Manager (VM) is the industry’s most comprehensive, accurate, and easy to use VM platform – bar none.
  • Network Security Technologies
    • Technologies


    • DDI NIRV™
    • DDI VRT™
    • DDI DNA™
    • DDI NIRV – the technology core of Frontline RNA™ – works on the principle of real-time event-based tuning. As it learns more about hosts and the network, NIRV adjusts its plugin sets and auditing mechanisms in real time – leading to far more accurate and complete scanning data.
    • While Digital Defense has achieved public acclaim for its superior vulnerability scanning, vulnerability management, and best practice consultative services, we are also actively involved in security threat research.
    • Digital Node Attribution (DNA) is the core technology within Frontline VM that eliminates network drift. As point in time scans from RNA are fed into Frontline Vulnerability Manager™,
  • Professional Services
    • Professional Services


    • Frontline Pen Test Project™
    • Frontline Social Test™
    • SecurED™ Training
    • Understanding and addressing network and host vulnerabilities is, of course, an essential element to strong information security.
    • Social engineering is a popular technique attackers use to gain access to your network and, ultimately, valuable information held by your organization.
    • SecurED, an entertaining awareness training designed to optimize employee retention of serious security intelligence and best practices.
    • TEAM™
    • Consultative Services
    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.
    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.
  • Get a Quote

Digital Defense is disclosing multiple vulnerabilities identified on various ManageEngine applications discovered by our Vulnerability Research Team (VRT).  We commend ManageEngine for their prompt response to the identified flaws and their engineering team’s work with VRT to provide fixes for these security issues.

ManageEngine has provided patches for each of the vulnerabilities identified on the applications. The patched applications can be downloaded from ManageEngine’s website.

Clients who currently use Digital Defense’s Frontline Vulnerability Manager™ platform can sweep for the presence of these issues by performing a full vulnerability assessment scan or selecting CVC’s  ManageEngine OpManager Multiple Vulnerabilities (123568) and

ManageEngine ServiceDesk Plus Remote Code Execution (123594).

 

Details of the vulnerabilities are as follows:

Summary:​

DDI-VRT-2018-01 – Unauthenticated File Upload via /servlets/CmClientUtilServlet

DDI-VRT-2018-02 – Unauthenticated Blind SQL Injection via /servlets/RegisterAgent

DDI-VRT-2018-03 – Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet

DDI-VRT-2018-04 – Multiple Unauthenticated Blind SQL Injections via /embedWidget

DDI-VRT-2018-05 – Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL

DDI-VRT-2018-06 – Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler

DDI-VRT-2018-07 – User Enumeration via /servlets/ConfServlet

 

Details:

Vulnerability: Unauthenticated File Upload via /servlets/CmClientUtilServlet

Impact: Remote code execution as SYSTEM, when running on Windows, full host compromise.

Application/Version Affected:

ServiceDesk Plus MSP 9.3 (Build 9302)

ServiceDesk Plus 9.3 (Build 9328)

 

Details: CmClientUtilServlet can be accessed without authentication. If the “command” request parameter is set to “addAttachmentInfo”, the “addAttachmentInfo” method will be called. This method doesn’t check if the “TYPE” request parameter contains a directory traversal sequence before using it in the path when creating a new file. The value of this parameter is also passed to “addAttachments” method of the com.adventnet.servicedesk.kbase.util.AttachmentUtil class which calls the “moveAttachments” method of AttachmentUtil. When the “moveAttachments” method is called, it will use the value of the “TYPE” request parameter in the destination path, which can be leveraged to write the uploaded file to a remotely accessible directory. Additionally, since none of these methods checked the file extension, this can be leveraged to upload a JSP web shell, that can be used to run commands as SYSTEM, fully compromising the host running the ServiceDeskPlus application.

 

Vulnerability: Unauthenticated Blind SQL Injection via  /servlets/RegisterAgent

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.agent.servlets.RegisterAgent class passes the GET request parameters to the doRegister method of the com.manageengine.opmanager.agent.RegisterAgentImpl class. The doRegister method passes the monagentID parameter to the getAgentKeyForHostName method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class. The getAgentKeyForHostName method inserts the user controlled value of monagentID directly into a SQL query without any sanitization.

 

Vulnerability: Unauthenticated Blind SQL Injection via /servlets/StatusUpdateServlet and /servlets/AgentActionServlet

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.agent.servlets.StatusUpdateServlet class passes the GET parameters to the updateAgentStatus method of the com.manageengine.opmanager.agent.AgentStatusHandler class. This method passes the agentKey GET parameter to the getDeviceNameForAgentKey method of the com.manageengine.opmanager.agent.utils.AgentDetailsUtil class which uses it directly in a SQL query without any sanitization. The getDeviceNameForAgentKey method can also be exploited via the com.manageengine.opmanager.agent.servlets.AgentActionServlet class if the “operation” request parameter is set to triggerFileMonitoringAlert.

 

Vulnerability: User Enumeration via /servlets/ConfServlet

Impact: Username and information disclosure.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The ConfServlet class can be accessed via requests sent to /servlets/ConfServlet. If the DATA_REG query parameter is set to NOCUSER, the handleNocUserDetail method is called and will return a serialized Java HashMap containing local authentication user information, such as usernames, email addresses and phone numbers.

 

Vulnerability: Multiple Unauthenticated Blind SQL Injections via /embedWidget

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.manageengine.opmanager.servlet.EmbedAPIServlet class handles requests sent to /embedWidget and calls different classes and methods depending on the value of the methodCall HTTP request parameter. If the methodCall parameter is set to getBusinessViewDeviceList, EmbedAPIServlet will call the getBusinessViewDeviceList method of the com.adventnet.me.opmanager.server.api.handler.BusinessViewApiHandler class. This method then passes the value of the bvName request parameter to the getDeviceListByBV method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to getWidgetDeviceListForVendor, EmbedAPIServlet will call the getWidgetDeviceListForVendor method of the com.adventnet.me.opmanager.server.api.handler.DashboardApiHandler class. The getWidgetDeviceListForVendor method passes the value of the vendorid request parameter to the getWidgetDeviceListForVendor method of the APIDBUtil class where it’s used in a SQL query. If the methodCall parameter is set to GMapDetails, EmbedAPIServlet will call the GMapDetails method of the MapsApiHandler class. The GMapDetails method passes the value of the deviceType and deviceName request parameters to the getGMapObjects method of the APIDBUtil class where they’re used in a SQL query. No sanitization is performed on the vulnerable parameters before they’re used directly in a SQL query.

 

Vulnerability: Unauthenticated XML External Entity Injection via /SNMPDiscoveryURL

Impact: Information disclosure.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The SNMPDiscoveryServlet accepts POST requests where the body is expected to be XML. The POST requests are handled by the doGet method which reads in the body of the POST request and attempts to parse it with the DocumentBuilderFactory class without first disabling doctypes. Not disallowing doctypes can allow an attacker to retrieve contents of files on the host running ManageEngine OpManager.

 

Vulnerability: Unauthenticated Blind SQL Injection via /unauthenticatedservlets/ELARequestHandler and /unauthenticatedservlets/NPMRequestHandler

Impact: Blind SQL injection can be leveraged to fully compromise the ManageEngine application and the host running the application.

Application/Version Affected:

OpManager 12.3 (Build 123002)

Firewall Analyzer 12.3 (Build 12.3.008)

Network Configuration Manager 12.3 (Build 12.3.008)

OpUtils 12.3 (Build 12.3.005)

NetFlow Analyzer 12.3 (Build 12.3.009)

Details: The com.adventnet.me.eventlog.ELARequestHandler servlet will call the getThemeForUser method when the “action” parameter is set to getTheme. The getThemeForUser method will then call the getThemeForUserName method of the OpManagerDBUtil class and pass it the value of the userName parameter from the GET request. The getThemeForUserName will then use the value of userName directly in a SQL query. The same path to getThemeForUserName is also available via /unauthenticatedservlets/NPMRequestHandler.