Implications of remote code execution (RCE) vulnerability

This document outlines the possible ramifications of the RCE vulnerability, and best practices to harden your security measures. This zero-day vulnerability was reported on March 6, 2020, and the fix has been released on the same day. 

  • For more insights on steps to identify and mitigate this vulnerability, read our document on the detection and remediation of RCE vulnerability. 
  • For frequently asked questions pertaining to this vulnerability, visit our FAQ corner
  • To understand the execution of our tool to detect and remediate RCE vulnerability, refer this document.
  • Knowledge base article

What are the implications of the vulnerability? 

This section addresses the implications that the exploitation may have had when a machine is found to be compromised. This exploitation could have possibly led to the total compromise of the machine and there are high chances of lateral traversal in the network. Here are few of the cases:  

  1. Data from a few registry hives could have been leaked to other servers by gaining access to SystemCertificates hive, cryptography hive, and CurrentControlSet. 
  2. Malicious DLL could have been placed under the System32 folder to tamper the execution of a few executables, thereby leading to possible code injection. This malware will then gather data from the infected machine and transmit it to other servers. 
  3. In any given execution of an application, RemoteThread may have been created to inject malicious threads onto this remote process. 
  4. It is suspected that cobalt strike payload, a general attack payload, is used to establish a reverse shell to exfiltrate data from the server-installed machine, and there are high changes of a change in administrator credentials. 
  5. Internet Explorer cookies and Outlook cookies are likely to be accessed, and event logs could be wiped completely. 

Top recommendations to harden your network security

This section addresses the best practices to be followed diligently to thwart such an exploitation. 

  1. Scrutinize firewall logs for any untoward inbound or outbound communications through unknown or unexpected IP addresses. 
  2. Monitor antivirus software - check if the software has flagged any file in the past 3 - 5 days.
  3. Change the user names and passwords of the user/system accounts, and any web accounts accessed from the server-installed machine. 
  4. Change the Active Directory credentials if the server-installed machine is a part of your AD, or if the Endpoint Central server is integrated with AD. 
  5. If you have a network audit tool, kindly use the tool to check if the malware has moved laterally to other server machines and detect anomalies. 
  6. If the compromised machine connects to other systems via SSH keys, ensure that the keys are revoked and the access is disabled. 

Contact Us

Should you have any further questions, please email dc-zeroday@manageengine.com or reach out to us using our toll-free number, +1-888-720-9500.