CVE-2020-35765
📋 TL;DR
This vulnerability allows authenticated attackers to execute SQL injection attacks via the resourceid parameter in Zoho ManageEngine Applications Manager. Attackers can potentially read, modify, or delete database contents. All users running affected versions of ManageEngine Applications Manager are at risk.
💻 Affected Systems
- Zoho ManageEngine Applications Manager
📦 What is this software?
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
Manageengine Applications Manager by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the database, including exfiltration of sensitive data, modification of application data, or potential remote code execution through database functions.
Likely Case
Unauthorized data access, privilege escalation, or data manipulation within the Applications Manager database.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple SQL injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15000 and later
Vendor Advisory: https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-35765.html
Restart Required: Yes
Instructions:
1. Download version 15000 or later from ManageEngine website. 2. Backup current installation. 3. Stop Applications Manager service. 4. Install the update. 5. Restart the service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules or input validation to block SQL injection patterns in resourceid parameter
Database Permission Reduction
allRestrict database user permissions to minimum required for application functionality
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Applications Manager to authorized users only
- Enable detailed logging and monitoring for SQL injection attempts in application logs
🔍 How to Verify
Check if Vulnerable:
Check Applications Manager version in admin console or installation directory. Versions 14930 and earlier are vulnerable.Check Version:
Check Help > About in Applications Manager web interface or examine build.properties file in installation directory.Verify Fix Applied:
Verify version is 15000 or later and test showresource.do endpoint with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by showresource.do requests
- SQL syntax errors in application logs
Network Indicators:
- HTTP POST requests to showresource.do with unusual resourceid parameter values
- SQL error messages in HTTP responses
SIEM Query:
source="applications_manager" AND (uri="*showresource.do*" AND (param="*resourceid*" AND value="*' OR *"))🔗 References
- https://www.manageengine.com
- https://www.manageengine.com/products/applications_manager/issues.html#v15000
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-35765.html
- https://www.tenable.com/security/research/tra-2021-02
- https://www.tenable.com/security/research/tra-2021-02
- https://www.manageengine.com
- https://www.manageengine.com/products/applications_manager/issues.html#v15000
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-35765.html
- https://www.tenable.com/security/research/tra-2021-02
- https://www.tenable.com/security/research/tra-2021-02
