What is unauthenticated RCE Vulnerability (CVE-2020-10189)?
Remote Code Execution (RCE) Vulnerability (CVE-2020-10189)lets attackers to execute arbitrary code on a server without authentication.
How can I verify that my system has been compromised?
The following list of files should not be present in your system:
(i) 2.exe
(ii) logger.txt
(iii) logger.zip
(iv) mdmlogs.zip
(v) managed_mdmlogs.zip
(vi) StorSyncSvc.dll
If any of the above files are present in your system, especially in C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\_chart, then the system has been compromised.
What is the first step after I have identified that my system has been compromised?
The first step is to isolate the server machine by disconnecting it from the network. Ensure that the server is not accessible remotely.
What are the steps that I have to follow after my system has been compromised?
Please follow the below-given procedure if your system has been compromised:
(i) Isolate the server by disconnecting it from the network.
(ii) Take a copy of the scheduled backup (dbbackup) taken or before 5 March, 2020, and copy this to another machine.
(iii) After copying the scheduled backup to another machine, format the server machine.
(iv) Install Endpoint Central EXE. (Note: The build version of the new EXE should be the same as that of your backed up build version). Visit the following page to procure your corresponding Endpoint Central EXE: http://archives.manageengine.com/
(v) Restore the backup and start the server. It is highly recommended to use a different hardware setup for this installation. To learn more, visit the following page:
https://www.manageengine.com/products/desktop-central/backup_restoration_desktop_central_server_incompatible.html
Note: If you have a MSSQL environment, it is highly recommended to restore using the scheduled db backup. In MSSQL environment, the file system is maintained in the server machine, whereas the DB data is maintained in a separate machine. Therefore, when the server is restored using Snapshot, only the filesystem will be reverted and not the DB data. Hence, it is highly recommended to restore using scheduled db backup.
My server does not have the "_chart" folder. Does this mean that the system has not been compromised? Yes, however, please check if "install.bat" file exists in C:\Users\Public\install.bat. If there is no "install.bat" file then the system has not been compromised. Otherwise follow the steps given in this document: https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html
What further steps can be taken to protect my server better from RCE Vulnerability? You can add a firewall rule to block both inbound and outbound connection for the following IP addresses:
(i) 66.42.98.220
(ii) 74.82.201.8
(iii) 91.208.184.78
You can also whitelist the IP addresses that can access the server.
Having the folder "_chart" in the server doesn't mean that the system is compromised always. Is this true? Yes, having the "_chart" folder doesn't always mean that the system is compromised. This folder was introduced in the earlier builds of Endpoint Central. System is only vulnerable if any of the following files are present in the "_chart" folder: 2.exe, logger.txt, logger.zip, mdmlogs.zip, managedprofile_mdmlogs.zip. To learn more, visit the following page: https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html
What steps have to be followed for a Endpoint Central server hosted with a failover server (secondary server)? Will upgrading to Endpoint Central build 10.0.479 solve the issue? Are there separate steps to be followed? If the system was not compromised, upgrading to the Endpoint Central server build 10.0.479 is sufficient. Otherwise, follow the steps given below:
(i) Restore the primary server and then remove the failover server.
(ii) After restoring the primary server, clone the primary server to set up the failover server (secondary server). To learn more, visit the following page: https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html
After restoring the VM, the suspicious files seem to be not present. Does it mean that the VM is not compromised anymore? Does this affect any other machine in the network or the Distribution Server? If the suspicious files are not present, then the Endpoint Central server can be upgraded to build 10.0.479. This vulnerability will not affect other machines or Distribution server in your network. If there are any suspicious files, then disconnect the machine from the network and follow the steps given in this document: https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/configuring_failover_server.html
What are the consequences if the aforementioned files are present in the server directory?
The following things could have possibly happened:
(i) Data under the following Registry Hive could have been read:
-> SystemCertificates Hive
-> Cryptography Hive
-> CurrentControlSet
(ii) The DLL files in System32 could have been modified by injecting arbitrary code.
(iii) Server could have been remotely accessed without authentication.
(iv) Admin password could have been compromised.
I have other ManageEngine products in the Endpoint Central server computer and I cannot shut down the machine. What is the solution to this case?
Please follow the below-given procedure:
(i) Disconnect the server machine from the network.
(ii) Send the log files to the Endpoint Central support team (desktopcentral-support@manageengine.com) for analysis.
(iii) Delete the malicious files that have been listed in question number 8.
(iv) Upgrade to Endpoint Central build 10.0.479
(v) Run a complete Antivirus scan.
My Endpoint Central build number is lower than 10.0.479. Should I upgrade to 10.0.479?
Yes, it is highly recommended to upgrade to Endpoint Central build 10.0.479
I have received the email alert regarding the RCE vulnerability from the security team and I do not have any suspicious files in the server directory. Is it still required to upgrade to the recommended build?
Yes, it is extremely important to upgrade to Endpoint Central build 10.0.479
My system was compromised before upgrading to Endpoint Central build 10.0.479. Is restoring the only way?
If the system was compromised before the upgrade, then restore using the backup that was created before March 5, 2020. To do this, follow these steps:
(i) Isolate the server by disconnecting it from the network.
(ii) Take a copy of the scheduled backup (dbbackup) taken or before 5 March, 2020, and copy this to another machine.
(iii) After copying the scheduled backup to another machine, format the server machine.
(iv) Install Endpoint Central EXE. (Note: The build version of the new EXE should be the same as that of your backed up build version). Visit the following page to procure your corresponding Endpoint Central EXE: http://archives.manageengine.com/
(v) Restore the backup and start the server. It is highly recommended to use a different hardware setup for this installation. To learn more, visit the following page:
https://www.manageengine.com/products/desktop-central/backup_restoration_desktop_central_server_incompatible.html
(vi) Once the server is up and running, upgrade to the latest build. Visit this link to upgrade to 10.0.479: https://www.manageengine.com/products/desktop-central/service-packs.html
