Security response plan for unauthenticated RCE vulnerability (CVE-2021-44077)
Vulnerability fixed
Update to ServiceDesk Plus build 11306 or above immediately→About the vulnerability
An unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44077) was identified in ManageEngine ServiceDesk Plus. This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11305 and below. We rate this vulnerability as critical and have noticed active exploitation of this vulnerability by cyberthreat actors. We strongly urge customers to upgrade to ServiceDesk Plus versions 11306 and above.
Please note that this vulnerability is not new but was already identified and addressed on September 16, 2021 in versions 11306 and above, and an advisory was published as well.
Read the advisory →
Exploit detection tool
Use the exploit detection tool to run a quick scan and discover any compromises in your installation. The tool checks for the presence of any indicators of compromise associated with the CVE-2021-44077 vulnerability and notifies you if your system is infected.
Download the tool & check if you are compromised →How to use the exploit detection tool
- Start > Run and type "services.msc" and hit Enter or press OK.
- Locate and stop the "ManageEngine ServiceDesk Plus" service.
- Download the exploit detection tool (Zip file).
- Extract the Zip file to \ManageEngine\ServiceDesk
- Go to the extracted folder: \ManageEngine\ServiceDesk\FindVulnerableFile.
- Right-click the RCEScan.bat file and choose Run as Administrator. A command window will open and the scan will be initiated. If your server is affected, you will get one of the following messages:
- If your server is affected, send us the following folders for further analysis:
- On the other hand, if you have already migrated to ServiceDesk Plus 11306 or later, your ServiceDesk Plus installation is secure and no longer vulnerable to any new attacks. However, the system could have been compromised before the upgrade. As for fresh installations of ServiceDesk Plus starting from build 11306 or later, they are secure and will not be impacted by this vulnerability.
ManageEngine\ServiceDesk\logs
\ManageEngine\ServiceDesk\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDesk\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus maintains only 50 log files and so your server compromise may not be detectable in the log files.
So, as a precautionary measure, please move your installation to a new server by following the procedure below.
Steps to move your ServiceDesk Plus installation to a new server
Follow the steps below to move your ServiceDesk Plus installation to a new server.
- Step 1 : Disconnect your server from the network.
- Step 2 : Back up ServiceDesk Plus data:
- Environments using PosgreSQL database:
- Open command prompt.
- Navigate to \ManageEngine\ServiceDesk\pgsql\bin
- Execute the following command:
pg_dump -U {user-name} -h {server} -p {port) servicedesk > {dumpfilename.sql}
Note: A backup will be created with the file name "dumpfilename.sql". Take a copy of this file to restore ServiceDesk Plus data.
- Environments using Microsoft SQL Server database: Disconnect the Microsoft SQL Server.
- Environments using PosgreSQL database:
- Step 3 : Back up the files under the following directories:
Prerequisites for creating a backup:
- Make sure that there are no executable files in the directories listed below. The typical format for names of executable files are *.exe, *.jsp, *.bat, *.sh, etc. If you find unrecognizable executable files in any of the directories, contact support for further assistance.
- Make sure to scan the directories listed below for the presence of malicious files or programs using an antivirus software. If malicious files or programs are found, skip those files while creating the backup.
- Go to\ManageEngine\ServiceDesk\conf, open product-config.xml, and find the entry " <configuration name="user.password.encrypt" value="true"/> ". If the entry is not found or if the value is set to "false", you need to reset the login password for all users after restoration.
\ManageEngine\ServiceDesk\fileAttachments
\ManageEngine\ServiceDesk\inlineimages
\ManageEngine\ServiceDesk\LuceneIndex
\ManageEngine\ServiceDesk\conf
\ManageEngine\ServiceDesk\custom
\ManageEngine\ServiceDesk\app_relationships
\ManageEngine\ServiceDesk\integration
\ManageEngine\ServiceDesk\archive
\ManageEngine\ServiceDesk\zreports
\ManageEngine\ServiceDesk\lib\AdventNetLicense.xml
\ManageEngine\ServiceDesk\ZIA\dataset
\ManageEngine\ServiceDesk\ImportResults
- Step 4 : Set up a new server to install ServiceDesk Plus afresh.
- Step 5 : Download and install the same version of ServiceDesk Plus on the new server.
- Step 6 : Restore data (if you were using the built-in PostgreSQL database) by using the backup file created or connect to the database (if you were using Microsoft SQL Server database). To restore data in PostgreSQL setups, follow these steps:
- Copy the backup file "dumpfilename.sql" to \ManageEngine\ServiceDesk\pgsql\bin
- Open command prompt
- Navigate to \ManageEngine\ServiceDesk\bin
- Execute the following command :
startDB.bat 65432 - Navigate to \ManageEngine\ServiceDesk\pgsql\bin
- Execute the following commands:
psql.exe -h {server} -p {port} -U {user-name} -d servicedesk
query \c postgres
drop database servicedesk;
create database servicedesk;
\q or quit.
psql.exe -U {user-name} -h {server} -p {port} -d servicedesk -f {dumpfilename.sql} - Navigate to \ManageEngine\ServiceDesk\bin
- Execute the following command:
stopdb.bat 65432
- Step 7 : Restore the backed up files (obtained in Step 3) to their respective directories.
- Step 8 : Upgrade ServiceDesk Plus to the latest version. See: Migration Sequence.
For any assistance regarding the vulnerability
Please feel free to contact our support team.
Write us to
support@servicedeskplus.com
Call us toll-free at
+1.888.720.9500.
Frequently asked questions
This is an unauthenticated RCE vulnerability that was identified in the on-premises model of ServiceDesk Plus. It can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
This vulnerability affects versions 11305 and below in the on-premises model of ServiceDesk Plus (all editions).
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, you might be affected.
You can also run the exploit detection tool above to verify if your installation has been compromised.
- If your server is affected, send us the following folders for further analysis:
ManageEngine\ServiceDesk\logs
\ManageEngine\ServiceDesk\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDesk\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus maintains only 50 log files and so your server compromise may not be detectable in the log files.
Further, please follow the steps mentioned above, to move your ServiceDesk Plus installation to the new server.
You can upgrade to the latest version (12001) using the appropriate migration path.
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, you might be affected.
We strongly recommend you upgrade to the latest version; however, if you are not able to do so, please follow the steps below to modify the web.xml and struts-config.xml files to mitigate the issue.
Step 1: Open the web.xml file from the following location: <sdp_home>/webapps/ROOT/WEB-INF/web.xml
Step 2: Replace the following lines
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>/RestAPI/*</url-pattern>
</servlet-mapping>
with the code below:
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>/RestAPI/WC/TwoFactorAction</url-pattern>
<url-pattern>/RestAPI/TwoFactorAction</url-pattern>
<servlet-mapping>
Step 3: Open the struts-config.xml file from the following location: <sdp_home>/webapps/ROOT/WEB-INF/struts-config.xml
Step 4: Remove the following lines:
<form-bean name="ImportTechnicians" type="com.adventnet.servicedesk.setup.form.ImportTechniciansForm"/>
and
<action name="ImportTechnicians" path="/ImportTechnicians" scope="request" type="com.adventnet.servicedesk.setup.action.ImportTechniciansAction">
<forward name="GetInputFile" path="/setup/GetTechInputFile.jsp"/>
<forward name="ImportConfirmation" path="/setup/TechImportConfirmation.jsp"/>
<forward name="MapFields" path="/setup/TechMapFields.jsp"/>
</action>
Step 5: In the same struts-config.xml file, please modify the following lines:
<action path="/TwoFactorAction" ...
<action path="/WC/TwoFactorAction" .....
as shown below:
<action path="/RestAPI/TwoFactorAction" ...
<action path="/RestAPI/WC/TwoFactorAction" ...
Step 6: Restart the system for the changes in the web.xml and struts-config.xml files to take effect.
These modifications to web.xml and struts-config.xml should mitigate the issue.
The vulnerability has been addressed by fixing the security configuration process in ServiceDesk Plus versions 11306 and above. You can upgrade to the latest version (12001) using the appropriate migration path.
We've put together this dedicated webpage to keep you up-to-date on the latest updates from our side, the technicalities of the vulnerability, our incident response plan, and recommended actions.