CVE-2020-11532
published 2020-05-08CVE-2020-11532: Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.48%
99.5th percentile
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adaudit_plus | < 6.0.3 | 6.0.3 |
| zohocorp | manageengine_datasecurity_plus | < 6.0.1 | 6.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or default-credential connections to the DataEngine Xnode server (ManageEngine DataSecurity Plus / ADAudit Plus). The Xnode server accepts queries using default admin credentials, allowing full data repository enumeration without prior authentication. ↗
- →Monitor for bulk enumeration/dump queries against Xnode data repositories (tables) — especially from external or unexpected source IPs — as exploitation involves iterating all known data repositories and fields. ↗
- →Flag use of default admin credentials against the DataEngine Xnode server. Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with the Xnode server, which an attacker can leverage to bypass authentication entirely. ↗
- →The same Xnode default-credential attack pattern applies to ManageEngine ADAudit Plus versions prior to 6.0.3 (build 6032). Detections should cover both products on their respective Xnode listener ports. ↗
- ·The Metasploit module accepts a CONFIG_FILE option to specify which data repositories and fields to enumerate. Detections based solely on known repository/field names may miss attacks using custom or DUMP_ALL configurations. ↗
- ·The module can also be used against patched versions if valid (non-default) credentials are supplied, meaning patching alone does not eliminate the attack surface if credentials are known or weak. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
ManageEngine ADAudit Plus Xnode Enumeration
metasploit
ManageEngine ADAudit Plus Xnode Enumeration
ManageEngine ADAudit Plus Xnode Enumeration
This module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information including domain names, host names, usernames and SIDs. This module can also be used against patched ADAudit Plus versions if the correct credentials are provided. By default, this module dumps only the data repositories and fields (columns) specified in the configuration file (set via the CONFIG_FILE option). The configuration file is also used to add labels to the values sent by Xnode in response to a query. It is also possible to use the DUMP_ALL option to obtain all data in all known
Metasploit
ManageEngine DataSecurity Plus Xnode Enumeration
metasploit
ManageEngine DataSecurity Plus Xnode Enumeration
ManageEngine DataSecurity Plus Xnode Enumeration
This module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011) in order to dump the contents of Xnode data repositories (tables), which may contain (a limited amount of) Active Directory information including domain names, host names, usernames and SIDs. This module can also be used against patched DataSecurity Plus versions if the correct credentials are provided. By default, this module dumps only the data repositories and fields (columns) specified in the configuration file (set via the CONFIG_FILE option). The configuration file is also used to add labels to the values sent by Xnode in response to a query. It is also possible to use the DUMP_ALL option to obtain all dat
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2020/May/28https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issueshttp://packetstormsecurity.com/files/157609/ManageEngine-DataSecurity-Plus-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2020/May/28https://pitstop.manageengine.com/portal/community/topic/upgrade-datasecurity-plus-to-the-build-6013-to-fix-security-issues
2020-05-08
Published