CVE-2018-5340

Vulnerability

An issue was discovered in Zoho ManageEngine Desktop Central versions 10.0.124 and 10.0.184 that allows a user with a superuser database account (specifically, an account with permission to write to the filesystem via SQL queries) to bypass query type restrictions. The vulnerability enables unauthorized users to execute arbitrary SQL queries to alter database entries, effectively bypassing intended access controls [1].

Exploitation

To exploit this vulnerability, an attacker must first obtain a superuser account on the database, which has filesystem write permissions. With such access, they can craft and execute SQL queries that bypass the query type restriction mechanism. The exact attack vector does not require additional network position beyond being able to authenticate to the database as the superuser. The vulnerability was reported by NCC Group Security Advisory [1].

Impact

Successful exploitation allows an attacker to alter database entries, potentially writing arbitrary files to the filesystem via SQL queries. This can lead to further system compromise, including code execution or persistent backdoor installation, depending on the attacker's objectives. The impact is elevated privilege and unauthorized data modification, as the superuser account has broad access [1].

Mitigation

The vendor, Zoho ManageEngine, released a fix for this vulnerability on 24-April-2018. Users of Desktop Central 10.0.124 and 10.0.184 are advised to update to the latest build available on the vendor's website. To apply the fix, log in to the Endpoint Central console, click on the current build number on the top right corner, download the PPM, and update. No workaround other than applying the patch is mentioned in the available references [1].