CVE-2019-12133

Severity

72%

Complexity

39%

Confidentiality

165%

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

CVSS 3.0 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Overview

Type

Zoho

First reported 5 years ago

2019-06-18 22:15:00

Last updated 4 years ago

2020-03-18 19:15:00

Affected Software

Zoho Corp ManageEngine Analytics Plus 1.0

1.0

Zoho Corp ManageEngine Browser Security Plus -

Zoho Corp ManageEngine Desktop Central 10.0.380

10.0.380

Zoho Corp ManageEngine Eventlog Analyzer 12.0.2

12.0.2

Zoho Corp ManageEngine Firewall 12.0

12.0

Zoho Corp ManageEngine Key Manager Plus 5.6

5.6

Zoho Corp ManageEngine Mobile Device Manager Plus 9.0.0

9.0.0

Zoho Corp ManageEngine NetFlow Analyzer 11.0

11.0

Zoho Corp ManageEngine Network Configuration Manager 11.0

11.0

Zoho Corp ManageEngine O365 Manager Plus 4.0

4.0

ZohoCorp ManageEngine OpManager 12.3

12.3

Zoho Corp ManageEngine OpUtils 11.0

11.0

Zoho Corp ManageEngine Patch Connect Plus 9.0.0

9.0.0

Zoho Corp ManageEngine Patch Manager Plus 9.0.0

9.0.0

Zoho Corp ManageEngine ServiceDesk Plus 10.0.0

10.0.0

Zoho Corp ManageEngine SupportCenter Plus 8.1

8.1

Zoho Corp ManageEngine Vulnerability Manager Plus 9.0.0

9.0.0

References

https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md

https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.