A vulnerability in ManageEngine, which has since been patched, could have let an attacker execute arbitrary code on vulnerable installations on three of its products. (Photo by Ethan Miller/Getty Images)

A researcher earlier this week found a vulnerability in ManageEngine that could potentially let an attacker execute arbitrary code on affected installations of some of its password and access management tools.

Enterprise IT management software ManageEngine has a huge installed base with some 280,000 installations in 190 countries, so security researchers considered the vulnerability a serious event.

GitHub security researcher Alvaro Muñoz wrote in a blog post that because of the use of a vulnerable version of Apache OFBiz, a Java-based open source enterprise resource planning system, remote attackers could have executed arbitrary code on vulnerable installations of ManageEngine’s Password Manager Pro, access management tool PAM360, and Access Manager Plus.

Muñoz reported the vulnerability – CVE-2020-9496 – to ManageEngine on June 21 and it was acknowledged the same day. Muñoz reported that the vulnerability was resolved in a new release issued three days later.

Attackers being able to run arbitrary system commands is as serious as it gets, especially with tools like password management that apply across a large number of systems and applications, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said organizations should patch immediately, and in addition have a plan to assess the damage done either through system data being tampered with or passwords impacted. 

“Having password policy enforced is an issue that many organizations struggle with, and the tools used to do so being vulnerable only makes that situation worse,” Broomhead said. “This should be a call to action for organizations to accelerate their implementation of zero-trust architectures and other methods of replacing passwords as a method of authentication.”

Mike Parkin, senior technical engineer at Vulcan Cyber, said remote code execution bugs are problematic, especially when they don’t require authentication. Parkin said when the vulnerability affects a critical system, like a password management tool, patching needs to happen sooner rather than later.

“It’s somewhat concerning that the vulnerability stems from an issue that was identified, and patched, in 2020, but evidently was not corrected in this application,” Parkin said. “Fortunately, the ManageEngine team responded quickly and there doesn’t seem to be any evidence this was exploited in the wild in spite of the existing PoC against the underlying vulnerability.”