CVE-2021-20110 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2021-20110?

CVE-2021-20110 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges on ManageEngine Asset Explorer Agent installations by exploiting an integer overflow during HTTPS certificate validation. It affects Asset Explorer Agent version 1.0.34 and earlier. Attackers on the same network can impersonate the legitimate server to trigger the exploit.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges on ManageEngine Asset Explorer Agent installations by exploiting an integer overflow during HTTPS certificate validation. It affects Asset Explorer Agent version 1.0.34 and earlier. Attackers on the same network can impersonate the legitimate server to trigger the exploit.

💻 Affected Systems

Products:

ManageEngine Asset Explorer Agent

Versions: 1.0.34 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The agent must be deployed and communicating with a ManageEngine Asset Explorer server. Vulnerability exists in default HTTPS certificate validation configuration.

📦 What is this software?

Manageengine Assetexplorer by Zohocorp

View all CVEs affecting Manageengine Assetexplorer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM-level remote code execution on all vulnerable agents, allowing complete compromise of managed systems, data theft, and lateral movement.

🟠

Likely Case

Attacker gains SYSTEM privileges on vulnerable agent machines, enabling installation of malware, credential harvesting, and persistence mechanisms.

🟢

If Mitigated

If network segmentation and certificate validation are properly implemented, exploitation requires physical network access or compromise of internal systems first.

🌐 Internet-Facing: LOW - The agent typically communicates with internal management servers, not directly internet-facing.

🏢 Internal Only: HIGH - Attackers on the internal network can exploit this without authentication to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires network access to agent communication channel. Tenable's research includes technical details and exploitation methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.35 or later

Vendor Advisory: https://www.manageengine.com/products/asset-explorer/sp-readme.html

Restart Required: Yes

Instructions:

1. Download Asset Explorer Agent version 1.0.35 or later from ManageEngine. 2. Deploy updated agent to all managed systems. 3. Restart agent service on all systems. 4. Verify agents are reporting with new version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Asset Explorer Agent traffic to prevent attackers from intercepting or spoofing server communications.

Certificate Pinning Enforcement

windows

Configure agents to validate server certificates strictly and reject connections to untrusted servers.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Asset Explorer Agent traffic from untrusted networks
Deploy host-based firewalls to restrict agent communication to authorized management servers only

🔍 How to Verify

Check if Vulnerable:

Check agent version in Asset Explorer console or examine agent executable version on endpoints. Version 1.0.34 or earlier is vulnerable.

Check Version:

On Windows: Check file version of AEClient.exe or examine registry at HKLM\SOFTWARE\ManageEngine\AssetExplorer\Agent

Verify Fix Applied:

Confirm agent version is 1.0.35 or later in Asset Explorer management console and verify agents are communicating successfully.

📡 Detection & Monitoring

Log Indicators:

Unusual network connections to agent port (typically 80/443)
Failed certificate validation attempts
Process creation from agent executable with unusual parameters

Network Indicators:

NEWSCAN requests from unauthorized IP addresses
Large Content-Length headers (1073741823+) in POST requests to agents
Spoofed server IP addresses communicating with agents

SIEM Query:

source="agent_logs" AND (content_length>=1073741823 OR dest_ip!=authorized_server_ip)

📊 Metadata

CVE ID: CVE-2021-20110

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: July 19, 2021

Last Updated: November 21, 2024

🔗 References

https://www.tenable.com/security/research/tra-2021-31 Third Party Advisory
https://www.tenable.com/security/research/tra-2021-31 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20110, you might also want to check these: