ManageEngine Endpoint Central remote code execution vulnerability (CVE-2020-10189)

This document explains the unauthenticated remote code execution vulnerability in Endpoint Central which was reported by Steven Seeley of Source Incite. The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.

Note: This vulnerability will not impact Secure Gateway Server. Customers using builds that include the short-term fix are not vulnerable to this exploit. 

 

Related articles

 

What was the problem?

This vulnerability could allow remote attackers to execute arbitrary code on affected installations of Endpoint Central. Authentication is not required to exploit this vulnerability.

How do I fix it?

Please update to the latest version 10.0.479 released on March 72020.

The patch and the steps to install it can be found in this page: https://www.manageengine.com/products/desktop-central/service-packs.html.

How do I fix it manually?

If you face any difficulties in applying patch, you can follow manual steps given below to fix the vulnerability.

  1. Remove the content below from the file web.xml in the path \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\WEB-INF\web.xml.
  2. After removing this content, restart Endpoint Central service.

<servlet-mapping>

<servlet-name>MDMLogUploaderServlet</servlet-name>

<url-pattern>/mdm/mdmLogUploader</url-pattern>

<url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>

</servlet-mapping>

 

<servlet>

<servlet-name>MDMLogUploaderServlet</servlet-name>

<servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>

</servlet>

 

<servlet-mapping>

<servlet-name>CewolfServlet</servlet-name>

<url-pattern>/cewolf/*</url-pattern>

</servlet-mapping>

  

<servlet>

<servlet-name>CewolfServlet</servlet-name>

<servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>

 

<init-param>

<param-name>debug</param-name>

<param-value>false</param-value>

</init-param>

<init-param>

<param-name>overliburl</param-name>

<param-value>/js/overlib.js</param-value>

</init-param>

<init-param>

<param-name>storage</param-name>

<param-value>de.laures.cewolf.storage.FileStorage</param-value>

</init-param>

 

<load-on-startup>1</load-on-startup>

</servlet>

Disclaimer: After following the mitigation steps listed above, Endpoint Central users will not be able to upload logs from a mobile device.

Second Advisory: Refer this document for the subsequent security advisory.

Keywords: Security Updates, Vulnerabilities and Fixes, SRC-2020-0011.

Contact Us

Should you have any further questions, please email dc-zeroday@manageengine.com or reach out to us using our toll-free number, +1-888-720-9500.