CVE-2021-31531
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in Zoho ManageEngine ServiceDesk Plus MSP allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. Attackers can potentially access sensitive internal services, perform port scanning, or interact with cloud metadata services. Organizations using ServiceDesk Plus MSP versions before 10521 are affected.
💻 Affected Systems
- Zoho ManageEngine ServiceDesk Plus MSP
📦 What is this software?
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
Manageengine Servicedesk Plus Msp by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, cloud metadata, perform lateral movement, or use the server as a proxy for attacks against other systems, potentially leading to data exfiltration or complete system compromise.
Likely Case
Attackers would access internal services, scan internal networks, or interact with cloud metadata to obtain credentials and escalate privileges within the environment.
If Mitigated
With proper network segmentation and egress filtering, impact would be limited to the server itself or specific allowed network segments.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10521
Vendor Advisory: https://www.manageengine.com/products/service-desk-msp/readme.html#10521
Restart Required: Yes
Instructions:
1. Download ServiceDesk Plus MSP version 10521 or later from ManageEngine website. 2. Backup current installation and configuration. 3. Stop the ServiceDesk Plus MSP service. 4. Install the updated version. 5. Restart the service. 6. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound network access from the ServiceDesk Plus MSP server to only necessary services
Authentication Hardening
allImplement strong authentication controls and monitor for suspicious authentication attempts
🧯 If You Can't Patch
- Implement strict network egress filtering to limit the server's outbound connections
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check the ServiceDesk Plus MSP version in the web interface under Help > About. If version is below 10521, the system is vulnerable.Check Version:
Check web interface at https://[server]:[port]/api/json/v1/about or view Help > About in the web interfaceVerify Fix Applied:
Verify the version shows 10521 or higher in the web interface under Help > About. Test SSRF functionality is no longer exploitable.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the ServiceDesk Plus MSP server
- Requests to internal IP addresses or cloud metadata endpoints
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unexpected outbound connections from ServiceDesk Plus MSP server to internal services
- Requests to cloud metadata services (169.254.169.254 for AWS, 169.254.169.254/metadata for Azure)
SIEM Query:
source="ServiceDeskPlus" AND (dest_ip=169.254.169.254 OR dest_ip IN [internal_ranges]) AND http_method=GET🔗 References
- https://cds.thalesgroup.com/en/tcs-cert/CVE-2021-31531
- https://excellium-services.com/cert-xlm-advisory/cve-2021-31531/
- https://www.manageengine.com/products/service-desk-msp/readme.html#10521
- https://excellium-services.com/cert-xlm-advisory/cve-2021-31531/
- https://www.manageengine.com/products/service-desk-msp/readme.html#10521
