CVE-2018-11717

Vulnerability

An information disclosure vulnerability exists in Zoho ManageEngine Desktop Central prior to build 100251. The application writes sensitive data to log files, including Base64-encoded AD account credentials, cleartext passwords for EAS accounts, Android device recovery passwords, the set account password, device location data (with UUID and person name), and critical device identifiers such as Serial Number, UUID, Model, Name, and auth_session_token (which can be used to spoof a terminal identity). This issue is documented in the vendor advisory [1].

Exploitation

An attacker who gains access to the log files—either through local file read, shared storage, or another vulnerability—can extract the exposed information. No additional authentication is required beyond the ability to read the log files. The attacker simply locates the relevant log file and parses the cleartext or Base64-encoded data.

Impact

Successful exploitation allows the attacker to obtain administrative credentials for Active Directory, email account settings, Android device recovery passwords, and device enrollment details. With the auth_session_token, the attacker can impersonate a legitimate terminal on the platform, potentially leading to further compromise of managed devices and network resources. The disclosure of location data and device identifiers also poses a privacy and operational security risk.

Mitigation

Zoho released a fix on 18-Feb-2019 as part of a build update. The vulnerability is resolved in Desktop Central build 100251 and later. Administrators should upgrade to the latest build by following the steps in the vendor advisory [1]. Cloud editions of Endpoint Central, Patch Manager Plus, and Remote Access Plus are not affected. As a workaround, restrict access to log files to authorized personnel only.