CVE-2020-35682

Q: What is the severity of CVE-2020-35682?

CVE-2020-35682 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to bypass authentication during SAML login in Zoho ManageEngine ServiceDesk Plus. Affected organizations using SAML authentication with versions before 11134 are at risk of unauthorized access.

8.8 HIGH

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication during SAML login in Zoho ManageEngine ServiceDesk Plus. Affected organizations using SAML authentication with versions before 11134 are at risk of unauthorized access.

💻 Affected Systems

Products:

Zoho ManageEngine ServiceDesk Plus

Versions: All versions before 11134

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using SAML authentication. Systems using other authentication methods are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the ServiceDesk Plus instance, potentially compromising sensitive IT service management data, customer information, and using the system as a foothold for further network attacks.

🟠

Likely Case

Unauthorized users gain access to the ServiceDesk Plus portal with standard user privileges, allowing them to view and potentially modify tickets, user data, and other service desk information.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the ServiceDesk Plus application only, with no lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass vulnerabilities are frequently exploited due to their simplicity and high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11134

Vendor Advisory: https://www.manageengine.com/products/service-desk/on-premises/readme.html#11134

Restart Required: Yes

Instructions:

1. Download ServiceDesk Plus build 11134 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ServiceDesk Plus service.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication and use alternative authentication methods until patching is complete.

🧯 If You Can't Patch

Implement strict network access controls to limit ServiceDesk Plus access to trusted IP addresses only.
Enable detailed logging and monitoring for authentication attempts and implement alerting for suspicious login patterns.

🔍 How to Verify

Check if Vulnerable:

Check ServiceDesk Plus version in the application's About page or admin console. If version is below 11134 and SAML is enabled, the system is vulnerable.

Check Version:

Check via web interface at https://[server]:[port]/api/json/version or in application admin console

Verify Fix Applied:

After upgrading, verify the version shows 11134 or higher and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns in SAML logs
Successful logins from unexpected sources or IP addresses
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual traffic patterns to SAML endpoints
Authentication requests from unexpected sources

SIEM Query:

source="servicedesk" AND (event_type="authentication" OR saml_auth) AND result="success" | stats count by src_ip user | where count > threshold

📊 Metadata

CVE ID: CVE-2020-35682

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: March 13, 2021

Last Updated: November 21, 2024

🔗 References

https://www.manageengine.com/products/service-desk/on-premises/readme.html#11134 Vendor Advisory
https://www.manageengine.com/products/service-desk/on-premises/readme.html#11134 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

Manageengine Servicedesk Plus by Zohocorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SAML Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities