Security Updates on Vulnerabilities

ManageEngine Endpoint Central MSP remote code execution vulnerability (CVE-2020-10189)

This document explains the unauthenticated remote code execution vulnerability in Endpoint Central MSP which was reported by Steven Seeley of Source Incite. The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.

Note: This vulnerability will not affect Secure Gateway Server. Customers using builds that include the short-term fix are not vulnerable to this exploit. 

What was the problem?

This vulnerability could allow remote attackers to execute arbitrary code on affected installations of Endpoint Central MSP. Authentication is not required to exploit this vulnerability.

How do I fix it?

Please update to the latest version 10.0.479 released on March 72020.

The patch and the steps to install it can be found in this page: https://www.manageengine.com/desktop-management-msp/service-packs.html.

How do I fix it manually?

If you face any difficulties in applying patch, you can follow manual steps given below to fix the vulnerability.

  1. Remove the content below from the file web.xml in the path \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\WEB-INF\web.xml.

    2. <servlet-mapping>

    <servlet-name>MDMLogUploaderServlet</servlet-name>

    <url-pattern>/mdm/mdmLogUploader</url-pattern>

    <url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>

    </servlet-mapping>

     

    <servlet>

    <servlet-name>MDMLogUploaderServlet</servlet-name>

    <servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>

    </servlet>

     

    <servlet-mapping>

    <servlet-name>CewolfServlet</servlet-name>

    <url-pattern>/cewolf/*</url-pattern>

    </servlet-mapping>

      

    <servlet>

    <servlet-name>CewolfServlet</servlet-name>

    <servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>

     

    <init-param>

    <param-name>debug</param-name>

    <param-value>false</param-value>

    </init-param>

    <init-param>

    <param-name>overliburl</param-name>

    <param-value>/js/overlib.js</param-value>

    </init-param>

    <init-param>

    <param-name>storage</param-name>

    <param-value>de.laures.cewolf.storage.FileStorage</param-value>

    </init-param>

     

    <load-on-startup>1</load-on-startup>

    </servlet>
  2. Restart the desktopcentral service.

Disclaimer: After following the mitigation steps listed above, Endpoint Central MSP users will not be able to upload logs from a mobile device.

Keywords: Security Updates, Vulnerabilities and Fixes, SRC-2020-0011. 

 

Remote Desktop & Mobile Device Management Software for MSPs trusted by