This Security Advisory addresses an "SQL injection" vulnerability (CVE - 2022-27908, CVE-2022-29535) in ManageEngine RMM Central, reported by Anh Vu in our Bug Bounty program. Please read this document fully to understand the potential threat, its implications, and the steps you can take to fortify your network. This advisory applies to RMM Central users.
Issue: It was possible to perform SQL injection in reports for the bview parameter (Business View filter parameter).
It was reported that vulnerable SQL queries was executed in reports when passed for bview parameter (Business View filter). Any SQL operations could be performed when the query was constructed and passed for this parameter.
The SQL query execution was not handled with prepared statement and hence vulnerable queries were executed. The severity of this threat is deemed high.
It is applicable to RMM Central users who access the Custom reports under the monitoring section of the product.
After detecting that there was a potential for exploit, we released the fix immediately and this fix is now available to all RMM Central users. The documents associated to mitigate this threat have also been prepared and pushed online.
The existing query execution in the data-sources of the reports were all changed to prepared statement. We have also analyzed the entire code to check if any other SQL injection was possible (using other parameters).
The issue can be fixed by upgrading your ManageEngine RMM Central to build 10.1.23 with monitoring instance to the versions 12.5.629 and above.
Upgrade to the last build from the URL given below.
https://www.manageengine.com/remote-monitoring-management/service-packs.html
Note: