Synopsis
Tenable uncovered a handful of new vulnerabilities in ManageEngine ServiceDesk. This is not Tenable's first go around with ManageEngine ServiceDesk. If you look at our previous advisory you'll see that it took nearly two years to resolve a reflected XSS vulnerability.
A number of months ago, Tenable decided to switch to a 90-day disclosure policy. That seems reasonable to us. It has now been 383 days since ManageEngine acknowledged the vulnerabilities in this advisory. The most egregious of which remain unfixed.
CVE-2017-11511: Arbitrary File Download - No Fix as of 9.3.9328
ServiceDesk provides an endpoint for unauthenticated remote users to download files at /fos-agent/repl/download-file. This endpoint requires a couple of parameters: basedir and filepath. The basedir parameter is a number 1-4. The values correspond to the following directories (on Windows):- C:\ManageEngine\ServiceDesk\bin\..\fileAttachments
- C:\ManageEngine\ServiceDesk\bin\..\inlineimages
- C:\ManageEngine\ServiceDesk\bin\..\archive
- C:\ManageEngine\ServiceDesk\bin\..\..\ServiceDesk
http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=pgsql\data\pg_log\pgsql_Wed.logHowever, that appears to be working as intended. I have to assume that path traversal is not intended behavior though.
http://192.168.1.200:8080/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini
We have assigned this CVE-2017-11511. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.
CVE-2017-11512: Arbitrary File Download - No Fix as of 9.3.9328
ServiceDesk provides an interface for unauthenticated remote users to download snapshots at /fosagent/repl/download-snapshot. This endpoint takes one parameter, name, which is supposed to correspond to the snapshot that you'd like to download. Due to the lack of validation an attacker can use name to traverse directories and download arbitrary files.
http://192.168.1.200:8080/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini
We have assigned this CVE-2017-11512. This was assigned SD-64424 by ManageEngine back in October of 2016 yet remains unfixed.
Various Fixed Authenticated Stored XSS
Fixed in 9.3.9139, an authenticated user could store arbitrary HTML/Javascript in the Job Title field for a Technician via SetupWizard.do.
Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via GroupResourcesDef.do.
Fixed in 9.2.9241, an authenticated user could store arbitrary HTML/Javascript in the Name of an Asset Group via ContractDef.do.
Fixed in 9.2.9237, an authenticated user could store arbitrary HTML/Javascript in the Contract ID of a Contract via TaskDetails.cc.
Solution
As of 9.3.9328, no patch exists for the arbitrary file download vulnerabilities. All of the XSS vulnerabilities have been patched as of 9.3.9139.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team