Vexed Researcher Discloses Zoho Zero-Day Vulnerability On Twitter – Patch To Arrive Soon

in arbitrarycodeexecution •  5 years ago 


Heads up, Zoho customers! A zero-day vulnerability exists in Zoho platform that can pose a serious security threat. The disgruntled researcher dropped the bug publicly on Twitter, a patch isn’t available yet.

Zoho Zero-Day Disclosed On Twitter


Reportedly, a security researcher Steven Seeley dropped a Zoho zero-day vulnerability on Twitter. The bug exists in Zoho’s ManageEngine Desktop Central. Exploiting the bug allows a remote attacker to execute arbitrary code.

The researcher disclosed the bug publicly since Zoho did not heed their bug reports.

https://twitter.com/steventseeley/status/1235635108498948096

Elaborating on the vulnerability in a separate advisory, the researcher stated that exploiting the flaw requires no authentication. Whereas, regarding how the flaw affected the system, the advisory reads,

The specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.
The advisory has deemed the vulnerability as critical with a CVSS score of 9.8. The researcher also shared the PoC exploit for the flaw.

For now, the vulnerability has also received a CVE ID, CVE-2020-10189.

Patch Rolling Out Soon


Since the researcher disclosed the vulnerability publicly instead of following a responsible disclosure, no patch is currently available. Hence, at present, the bug poses a threat to all the users.

Nonetheless, Zoho’s Twitter team has assured patching the bug shortly.

https://twitter.com/zoho/status/1235811733194682368

The ManageEngine Desktop Central has also officially acknowledged the existence of the bug in an advisory. They confirm that the flaw affects Desktop Central build 10.0.473 and earlier. While they are working on the patch, they have advised mitigation steps for the users.

So, until a fix arrives, everyone must remain very careful considering the risk of abusing the publicly disclosed exploit.

Let us know your thoughts in the comments.


Posted from my blog with SteemPress : https://latesthackingnews.com/2020/03/09/vexed-researcher-dropped-zoho-zero-day-on-twitter-patch-to-arrive-soon/

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!