Summary
This is an authentication bypass vulnerability in some specific application URLs that allows an attacker to gain access to an organisation’s data on the ServiceDesk Plus application. By manipulating one of these URLs from the assets module with a proper character set replacement, it can be utilised to bypass authentication and grab the data requested by the attacker and allows for further attacks to be carried out.
There is no publicly known proof of concept exploit code for this vulnerability however there is reporting that describes use of this vulnerability by APTs to gain access to of their victims.
Jisc are not currently able to carry out Janet wide scans for this vulnerability.
Vulnerable Versions:
- Versions 11305 and below
Recommendation(s):
- Upgrade ServiceDesk Plus application to version 11306
- Review all files created in ServiceDesk Plus directories since early October 2021
References:
- ServiceDesk Plus migration sequence | ManageEngine ServiceDesk Plus download old version | ManageEngine ServiceDesk Plus latest version / version history | Upgrade / update to ServiceDesk Plus latest build
- Hackers use in-house Zoho ServiceDesk exploit to drop webshells (bleepingcomputer.com)
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk