CSW discovers a new zero day in ZOHO CRM Lead Magnet!

CISA & FBI : Zoho Flaws Being Actively Exploited, Patch Now

Posted on 5th Oct, 2021 | By Pavithra Shankar

The FBI, CISA, and the Cyber Guard (CGCYBERs) warned of a serious vulnerability (CVE-2021-40539) in a single Zoho Signup and Password Management Solution that State Advanced Persistent Threat (APT) actors are actively scanning the internet for vulnerable servers.

Zoho discovered a zero day vulnerability existing in the Zoho ManageEngine ADSelfService Plus software - a password management solution that might allow threat actors to take control of the system. Handed the label CVE-2021-40539, the bug has a severity rating of 9.8 out of 10, and is a remote code execution flaw. 

 

On September 06, 2021, a patch was released for this critical remote code execution flaw. More specifically, this vulnerability is an authentication bypass issue that can affect the REST API URLs in ADSelfService Plus. Organizations using Zoho ManageEngine ADSelfService that haven't yet applied a patch are at heightened risk of compromise. 

 

Attackers Aiming for Unpatched Servers

 

CISA’s advisory notice makes it explicit, stating that CVE-2021-40539 has been identified as being exploited in the wild. Proper exploitation of this issue might lead to a serious threat to critical infrastructure in organizations that use the servers. 

 

According to researchers at security firm Crowdstrike, CVE-2021-40539 has been under attack for more than a week even before the attacks against Confluence Servers began.

The Port of Houston, a vital piece of Gulf Coast infrastructure, recently disclosed that it had successfully fought against an attempted breach in August and no functional data or systems were affected. Officials suspect that nation-state actors are behind the hack that involves ManageEngine ADSelfService Plus. Therefore, patching the Zoho Servers are crucial at the moment. 

 

Highlighting Facts of the Issue

 

  • This vulnerability is categorized as CWE-287 (Improper Authentication) that holds a fourteenth place in the 2021 CWE Top 25 Most Dangerous Software Weaknesses and listed in OWASP Top 10 for 2021 under A07 Category.

  • “Three out of five Fortune 500 companies” use Zoho, including Apple, Intel, Nike, PayPal, HBO, and many others.

  • Since August 2021, APTs have been exploiting this flaw as part of their attacks.

  • There are more than 11,000 Zoho ManageEngine servers accessible over the Internet.

  • All the popular scanners such as Nessus, Qualys and Nexpose were able to detect this vulnerability.

  • An attacker can use webshells to execute actions including compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory data after successfully exploiting the vulnerability.

  • This CVE is seen trending in Canada, India, and the United States.

CVE-2021-40539 Trending Regions

 

The fact that APT groups are actively exploiting CVE-2021-40539 flaw serves as a warning about the possibility for exposure. Therefore, before these extortion groups seek exploitation for ransomware and APT activities continuing the trends, we recommend all Zoho users to apply the latest patches to ADSelfService Plus build 6114 or later. 

 

Fifth Zero Day

 

CVE-2021-40539 is the fifth security flaw discovered in ManageEngine ADSelfService Plus since the beginning of the year. In March 2021, a fourth vulnerability, CVE-2021-28958 (CVSS score: 9.8), was patched while three weaknesses have been fixed in recent updates: CVE-2021-37421 (CVSS score: 9.8), CVE-2021-37417 (CVSS score: 9.8), and CVE-2021-33055 (CVSS score: 9.8). 

 

2021 Zoho Vulnerabilities Impacted Versions
CVE-2021-40539 6113
CVE-2021-37421 6103 and earlier
CVE-2021-37417 6103 and earlier
CVE-2021-33055 6102
CVE-2021-28958 6101


Indicator of Compromise

 

The following identification of IoCs were outlined by CISA.

 

Hashes

068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324

49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba

File Paths

C:\ManageEngine\ADSelfService Plus\webapps\adssp\help\admin-guide\reports\ReportGenerate.jsp

C:\ManageEngine\ADSelfService Plus\webapps\adssp\html\promotion\adap.jsp

C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help

C:\ManageEngine\ADSelfService Plus\jre\bin\SelfSe~1.key (filename varies with an epoch timestamp of creation, extension may vary as well)

C:\ManageEngine\ADSelfService Plus\webapps\adssp\Certificates\SelfService.csr

C:\ManageEngine\ADSelfService Plus\bin\service.cer

C:\Users\Public\custom.txt

C:\Users\Public\custom.bat

C:\ManageEngine\ADSelfService Plus\work\Catalina\localhost\ROOT\org\apache\jsp\help (including subdirectories and contained files)

WebShell URL Paths

/help/admin-guide/Reports/ReportGenerate.jsp

/html/promotion/adap.jsp

 

Fix with a Patch

 

Zoho Manage Engine has created an exclusive tool to evaluate if an ADSelfService Plus installation is vulnerable to the authentication bypass flaw. Users may also manually verify if your installation has been compromised by following the steps listed in Zoho advisory. Additionally, the FBI, CISA, and CGCYBER highly advise the Zoho users to apply domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets.

 

All ADSelfService Plus builds up to 6113 were found vulnerable to the issue and customers are advised to immediately update ADSelfService Plus to build 6114 or later.

 

Unsure if there are any gaps in your security that can lead to a cyber attack?

We can help shrink your attack surface. Talk to us!

Test your defense to know how secure you are…