CVE-2021-37415
📋 TL;DR
CVE-2021-37415 is an authentication bypass vulnerability in Zoho ManageEngine ServiceDesk Plus where certain REST-API URLs don't require authentication. This allows attackers to access sensitive functionality without credentials. Organizations using ServiceDesk Plus versions before 11302 are affected.
💻 Affected Systems
- Zoho ManageEngine ServiceDesk Plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to access, modify, or delete sensitive data, create administrative accounts, or execute arbitrary code on the server.
Likely Case
Unauthorized access to sensitive service desk data, ticket manipulation, user account creation, or configuration changes.
If Mitigated
Limited impact with proper network segmentation and monitoring, though authentication bypass remains a critical finding.
🎯 Exploit Status
Exploitation is trivial - simply accessing specific REST-API endpoints without authentication. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11302 and later
Vendor Advisory: https://www.manageengine.com/products/service-desk/on-premises/readme.html#11302
Restart Required: Yes
Instructions:
1. Download ServiceDesk Plus version 11302 or later from ManageEngine website. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the ServiceDesk Plus service.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to ServiceDesk Plus to trusted IP addresses only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP_RANGE" port port="8080" protocol="tcp" accept'
firewall-cmd --reload
Reverse Proxy Authentication
allPlace ServiceDesk Plus behind a reverse proxy that requires authentication for all API endpoints
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to ServiceDesk Plus
- Deploy web application firewall (WAF) rules to block unauthenticated REST-API requests
🔍 How to Verify
Check if Vulnerable:
Check if ServiceDesk Plus version is below 11302 via the web interface or by examining installation filesCheck Version:
Check web interface at http://<server>:<port>/ or examine build version in installation directoryVerify Fix Applied:
Verify version is 11302 or higher and test that REST-API endpoints now require proper authentication📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to REST-API endpoints
- Failed authentication attempts followed by successful API calls
- Unusual API requests from unexpected IP addresses
Network Indicators:
- HTTP requests to /api/* endpoints without authentication headers
- Unusual traffic patterns to REST-API URLs
SIEM Query:
source="servicedesk.log" AND (uri_path="/api/*" AND NOT auth_token=*)🔗 References
- https://www.manageengine.com
- https://www.manageengine.com/products/service-desk/on-premises/readme.html#11302
- https://www.manageengine.com
- https://www.manageengine.com/products/service-desk/on-premises/readme.html#11302
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37415
