Detections
Analytics
ManageEngine Desktop Central 8 / 9 < Build 91100 Multiple RCE
critical Nessus Plugin ID 90192
Language:
Synopsis
The remote web server contains a Java-based web application that is affected by multiple remote code execution vulnerabilities.Description
The ManageEngine Desktop Central application running on the remote host is version 8, or else version 9 prior to build 91100. It is, therefore, affected by multiple remote code execution vulnerabilities :- A flaw exists in the statusUpdate script due to a failure to properly sanitize user-supplied input to the 'fileName' parameter. An unauthenticated, remote attacker can exploit this, via a crafted request to upload a PHP file that has multiple file extensions and by manipulating the 'applicationName' parameter, to make a direct request to the uploaded file, resulting in the execution of arbitrary code with NT-AUTHORITY\SYSTEM privileges. (CVE-2015-82001)
- An unspecified flaw exists in various servlets that allow an unauthenticated, remote attacker to execute arbitrary code. No further details are available.
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to ManageEngine Desktop Central version 9 build 91100 or later.See Also
Plugin Details
Severity: Critical
ID: 90192
File Name: manageengine_desktop_central_91100.nasl
Version: 1.7
Type: remote
Family: CGI abuses
Published: 3/25/2016
Updated: 11/19/2019
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.3
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: cpe:/a:zohocorp:manageengine_desktop_central
Required KB Items: installed_sw/ManageEngine Desktop Central
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 12/12/2015
Vulnerability Publication Date: 12/14/2015
Reference Information
CVE: CVE-2015-82001
TRA: TRA-2015-07