ManageEngine ServiceDesk Plus MSP < 13.0 Build 13001 RCE

critical Nessus Plugin ID 176856

Synopsis

The remote web server hosts an application that is affected by a remote code execution vulnerability.

Description

A remote code execution vulnerability exists in ManageEngine ServiceDesk Plus MSP prior to 13.0 Build 13001 due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ManageEngine ServiceDesk Plus MSP version 13.0 Build 13001, or later.

See Also

http://www.nessus.org/u?5404a809

http://www.nessus.org/u?ceac193b

Plugin Details

Severity: Critical

ID: 176856

File Name: manageengine_servicedesk_msp_13001_rce.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 6/7/2023

Updated: 12/5/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-47966

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_servicedesk_plus_msp

Required KB Items: installed_sw/manageengine_servicedesk

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/27/2022

Vulnerability Publication Date: 1/18/2023

CISA Known Exploited Vulnerability Due Dates: 2/13/2023

Exploitable With

Core Impact

Metasploit (ManageEngine Endpoint Central Unauthenticated SAML RCE)

Reference Information

CVE: CVE-2022-47966