This document explains the unauthenticated remote code execution vulnerability in Endpoint Central MSP which was reported by Steven Seeley of Source Incite. The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.
Note: This vulnerability will not affect Secure Gateway Server. Customers using builds that include the short-term fix are not vulnerable to this exploit.
This vulnerability could allow remote attackers to execute arbitrary code on affected installations of Endpoint Central MSP. Authentication is not required to exploit this vulnerability.
Please update to the latest version 10.0.479 released on March 7, 2020.
The patch and the steps to install it can be found in this page: https://www.manageengine.com/desktop-management-msp/service-packs.html.
If you face any difficulties in applying patch, you can follow manual steps given below to fix the vulnerability.
<servlet-mapping>
<servlet-name>MDMLogUploaderServlet</servlet-name>
<url-pattern>/mdm/mdmLogUploader</url-pattern>
<url-pattern>/mdm/client/v1/mdmLogUploader</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>MDMLogUploaderServlet</servlet-name>
<servlet-class>com.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CewolfServlet</servlet-name>
<url-pattern>/cewolf/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>CewolfServlet</servlet-name>
<servlet-class>de.laures.cewolf.CewolfRenderer</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>overliburl</param-name>
<param-value>/js/overlib.js</param-value>
</init-param>
<init-param>
<param-name>storage</param-name>
<param-value>de.laures.cewolf.storage.FileStorage</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>Disclaimer: After following the mitigation steps listed above, Endpoint Central MSP users will not be able to upload logs from a mobile device.
Keywords: Security Updates, Vulnerabilities and Fixes, SRC-2020-0011.