CVE-2021-40174
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Zoho ManageEngine Log360 that allows attackers to disable logon security settings without user consent. Organizations using Log360 versions before Build 5224 are affected. Attackers can exploit this to weaken authentication controls and potentially gain unauthorized access.
💻 Affected Systems
- Zoho ManageEngine Log360
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers disable all authentication controls, allowing unauthenticated access to sensitive log data and administrative functions, potentially leading to complete system compromise.
Likely Case
Attackers disable specific security settings like login restrictions or MFA, enabling easier credential-based attacks or unauthorized access to log data.
If Mitigated
With proper CSRF protections and network segmentation, exploitation attempts are blocked or detected before causing damage.
🎯 Exploit Status
Exploitation requires the victim to be logged into Log360 and visit a malicious page. CSRF attacks are well-understood and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 5224 or later
Vendor Advisory: https://www.manageengine.com/log-management/readme.html#Build%205224
Restart Required: Yes
Instructions:
1. Download Log360 Build 5224 or later from the ManageEngine website. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the Log360 service. 5. Verify the version shows Build 5224 or higher.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all sensitive forms and endpoints in Log360
SameSite Cookie Enforcement
allConfigure cookies with SameSite=Strict attribute to prevent CSRF attacks
🧯 If You Can't Patch
- Implement network segmentation to isolate Log360 from untrusted networks
- Deploy a Web Application Firewall (WAF) with CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Log360 build version in the web interface under Help > About. If version is below Build 5224, the system is vulnerable.Check Version:
Check web interface at https://[log360-server]/help/about.jsp or examine installation directory version filesVerify Fix Applied:
After patching, verify the version shows Build 5224 or higher in Help > About. Test that security settings cannot be modified via cross-site requests.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to security settings
- Authentication configuration changes from unusual IP addresses
- Failed login attempts after security settings were modified
Network Indicators:
- POST requests to security configuration endpoints without proper referrer headers
- Cross-origin requests to Log360 administrative interfaces
SIEM Query:
source="log360" AND (event_type="config_change" AND config_item="security_settings")