Identification and mitigation of remote code execution vulnerability CVE-2020-10189
A few versions of Endpoint Central include a remote code execution (RCE) vulnerability originally reported by Steven Seeley from Source Incite. This document will shed light on how to identify if the vulnerability is present in your network, and the steps to follow after identifying the vulnerability.
Note: If you have configured ManageEngine's Secured Gateway server, you can feel rest assured that your set up is safe. Even if you find any of these vulnerable files (logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) is present under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, the system/network will not be compromised.
Step one: Isolate the machine
First, access the Endpoint Central server directly. If it is a physical server, please log in to the machine directly. Ensure that you disconnect the machine from your network completely so it cannot be accessed remotely from the network.
How to identify if your installation is compromised
The following are two methods of identifying if an attacker has exploited the RCE vulnerability on any of your network machines:
- If there is any file with the following names under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, then your installation has been compromised: logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip.
- If there is a presence of the file in this path “C:\Users\Public\install.bat”, then your system has been compromised.
What should I do if my machine is compromised?
- If any of these files (logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip) is present under the folder \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, follow the steps below to apply the fix:
- Disconnect the machine from your network.
- Make a copy of the scheduled backup (dbbackup) taken on or before March 5, 2020, and move this copy to another machine.
- Format the compromised machine.
- Install the Endpoint Central EXE. (Note: The build version of the new EXE should be the same as that of your backed-up build). Visit this link to procure the EXE for your build number.
- Restore the backup, and start the server. It is highly recommended to utilize a different hardware setup for the new installation.
- Once the server is up and running, upgrade to the latest build, 10.0.479.
- If you spot C:\Users\Public\install.bat, follow the mitigation steps below:
- Disconnect the machine from your network.
- Look for any service with the name “StorSyncSvc” that has the display name “Storage Sync Service”, and disable this service immediately.
- Add a firewall rule to block both inbound and outbound connections to the IP addresses 3.0.19.24, 193.169.255.102, 171.25.193.78, 23.227.206.166, 66.42.98.220, 91.208.184.78 and 74.82.201.8.
- Make a copy of the scheduled backup (dbbackup) taken on or before March 5, 2020, and move this copy to another machine.
- Format the compromised machine.
- Install the Endpoint Central EXE. (Note: The build version of the new EXE should be the same as that of your backed-up build). Visit this link to procure the EXE for your build number.
- Restore the backup, and start the server. It is highly recommended to utilize a different hardware setup for the new installation.
- Once the server is up and running, upgrade to the latest build, 10.0.479.
What should I do if my machines have not been compromised?
Upgrade to the latest build, 10.0.479, if the vulnerability has not been detected in your network. If you face any difficulties in applying the patch, you can follow the steps below to manually fix the vulnerability.
- Remove the content below from the file web.xml in the path \ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\WEB-INF\web.xml.
<servlet-mapping>
<servlet-name>MDMLogUploaderServlet</servlet-name>
<url-pattern>/mdm/mdmLogUploader</url-pattern>
<url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>MDMLogUploaderServlet</servlet-name>
<servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CewolfServlet</servlet-name>
<url-pattern>/cewolf/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>CewolfServlet</servlet-name>
<servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>overliburl</param-name>
<param-value>/js/overlib.js</param-value>
</init-param>
<init-param>
<param-name>storage</param-name>
<param-value>de.laures.cewolf.storage.FileStorage</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
- After removing this content, restart Endpoint Central service.
Disclaimer: After following the aforementioned steps for manual mitigation, Endpoint Central users will not be able to upload logs from a mobile device.
Contact Us
Should you have any further questions, please email dc-zeroday@manageengine.com or reach out to us using our toll-free number, +1-888-720-9500.