Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Manage Engine Asset Explorer Agent - Integer Overflow

High

Synopsis

Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow.

Disclosure Timeline

03/16/2021 - Tenable discloses issue
04/08/2021 - Tenable follows up, asking if ME is able to confirm issue
04/21/2021 - Tenable follows up asking for updates.
05/21/21 - ManageEngine explains bugs are still being worked on, will update when patches released
5/10/2021 - ManageEngine asks to delay disclosure by two months
5/11/2021 - Tenable offers a two week delay to disclosures due to extenuating circumstances.
5/25/2021 - Tenable follows up on issue
6/1/2021 - ManageEngine replies that issues should be patched by two week extended disclosure dates
6/17/2021 - Tenable requests status update. ManageEngine states that fixes are complete and patches are waiting for release.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2021-20110
Tenable Advisory ID: TRA-2021-31
Credit:
David Wells
CVSSv2 Base / Temporal Score:
9.3 / 9.3
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
Affected Products:
Manage Engine Asset Explorer Agent version 1.0.34
Risk Factor:
High

Advisory Timeline

July 16, 2021 - Initial release