If an attacker knows the internal hostname, he can exploit this issue to gain access to the server. For example, a remote attacker can use a web crawler to find out the internal hostname, and then use a password cracker to try to access the server. Our testing shows that Zoho ManageEngine Desktop Central before 10.1.2137.8 does not sanitize the server name before displaying it in user interface elements. As a result, a remote attacker can exploit this issue to gain access to the server. - In Internal Hostname field of Server Details page, there is no validation of server name to prevent internal servers from being displayed. - Internal Hostname can be discovered by reading HTTP redirect responses. - Internal Hostname can be brute forced. - Any user with access to the server can gain access to the server. In the previous Zoho ManageEngine Desktop Central 10.1 versions, Zoho ManageEngine Desktop Central allows the internal hostname to be configured by the user. However, in the new 10.1.2137.8 version, it is configured by default to be set to the server hostname. This means that if the server is configured to be internal, it will now be shown as internal by default.

Solution:

Zoho ManageEngine Desktop Central 10.1.2137.8
In order to prevent this issue from occurring, Zoho ManageEngine Desktop Central 10.1.2137.8 has been updated with a patch for CVE-2022-23779 which is described in the solution below:
In Internal Hostname field of Server Details page, there is no validation of server name to prevent internal servers from being displayed. - Internal Hostname can be discovered by reading HTTP redirect responses. - Internal Hostname can be brute forced. In the previous Zoho ManageEngine Desktop Central 10.1 versions, Zoho ManageEngine Desktop Central allows the internal hostname to be configured by the user. However, in the new 10.1.2137 version, it is configured by default to be set to the server hostname.

What is Zoho ManageEngine Desktop Central?

Zoho ManageEngine Desktop Central is a desktop management software solution for IT administrators. It provides an easy-to-use interface to manage systems, servers, and devices on your computer, laptop or server.

How to find out the internal hostname

- The Internal Hostname is not validated before displaying it in the server details page. - To find out the Internal Hostname, a user can read HTTP response code. - A brute force attack on the internal hostname may be possible. - Any user with access to the server can access it due to the new hostname setting

Internal Hostnames are displayed in Server Details page of Zoho ManageEngine Desktop Central 10.1.2137.8
The vulnerability CVE-2022-23779 is found on Zoho ManageEngine Desktop Central 10.1 versions and above, where hosts names are configured by default to be set to the server host name. This allows attackers who know this setting can access servers that they should not have access to, such as internal servers that are not supposed to be exposed publicly without authorization or users who may have unauthorized access to the server themselves and can view information about it such as its IP address and host name which could lead them into further trouble with network administrators at other organizations they work for having data leaked or some other type of security breach due to their actions from accessing an unauthorized server or even gaining unauthorized access through brute force attacks on the server's host name.

How to Check if Your System is Affected by CVE-2022-23779?

Zoho ManageEngine Desktop Central before 10.1.2137.8 does not sanitize the server name before displaying it in user interface elements. As a result, a remote attacker can exploit this issue to gain access to the server. In order to check if your system is affected by CVE-2022-23779, please follow the steps below:

1) Open the Server Details page of your Zoho ManageEngine Desktop Central system and view the internal hostname in the Internal Hostname field of Server Details page
2) If you see an IP address there, then your system is affected by CVE-2022-23779 and should be updated immediately.

How to check if your system is vulnerable?

Step 1: Run the following command to determine whether your system is vulnerable or not.
for i in `cat /etc/hosts`; do echo $i; done
Step 2: If your system is vulnerable, you will see a list of internal hosts that are accessible on the server. You can find the list of hosts by running the following command.
for i in `cat /etc/hosts`; do echo "

Timeline

Published on: 03/02/2022 15:15:00 UTC
Last modified on: 03/09/2022 19:01:00 UTC

References