Security advisory

RCE vulnerability when integrating with Analytics Plus.

CVE ID : CVE-2022-40770

Product Name	Severity	Affected Version(s)	Fixed Version(s)	Fixed On
ServiceDesk Plus	Medium	13010 and below	13011	Sept. 27, 2022
ServiceDesk Plus MSP	Medium	10610 and below	13000	Oct 13, 2022
SupportCenter Plus	Medium	11025 and below	11026	Oct. 28, 2022

Details

The input fields needed to configure the Analytics Plus integration with ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus are vulnerable to remote command execution (RCE). Threat actors with admin role access can add malicious commands or scripts to these input fields during the setup of the integration and execute them.

Impact

This vulnerability allows a threat actor with admin role access to execute arbitrary commands and carry out any subsequent attacks.

Steps to upgrade

1. Download the latest upgrade pack from the following links for the respective product:
   • ServiceDesk Plus - https://www.manageengine.com/products/service-desk/on-premises/migration-sequence.html
   • ServiceDesk Plus MSP - https://www.manageengine.com/products/service-desk-msp/service-packs-hotfix.html
   • SupportCenter Plus - https://www.manageengine.com/products/support-center/service-packs.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements

This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP: support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com