Detections
Analytics

ManageEngine Desktop Central NativeAppServlet UDID JSON RCE

critical Nessus Plugin ID 81704

Language:

Synopsis

The remote web server contains a Java web application that allows execution of arbitrary code.

Description

The version of ManageEngine Desktop Central MSP installed on the remote host is affected by a remote code execution vulnerability due to a failure by NativeAppServlet to properly sanitize JSON data before processing it. A remote attacker, using a crafted JSON object, can exploit this to execute arbitrary code.

Solution

Upgrade to ManageEngine Desktop Central MSP 9 Build 90075 or later.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-14-420/

Plugin Details

Severity: Critical

ID: 81704

File Name: manageengine_desktop_central_msp_build_90075_json_rce.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 3/9/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_desktop_central

Required KB Items: installed_sw/ManageEngine Desktop Central

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2014

Vulnerability Publication Date: 12/11/2014

Reference Information

CVE: CVE-2014-9371

BID: 71641