CVE-2021-43296
📋 TL;DR
This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) attacks through the ActionExecutor component in Zoho ManageEngine SupportCenter Plus. Attackers can make the vulnerable server send requests to internal systems, potentially accessing sensitive data or services. Organizations running SupportCenter Plus versions before 11016 are affected.
💻 Affected Systems
- Zoho ManageEngine SupportCenter Plus
📦 What is this software?
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
Manageengine Supportcenter Plus by Zohocorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, sensitive data, or pivot to other systems, potentially leading to data breaches or network compromise.
Likely Case
Attackers scan internal networks, access metadata services, or interact with internal APIs to gather information or perform limited actions.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to information disclosure from accessible internal services.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and tools exist for automated exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11016
Vendor Advisory: https://www.manageengine.com/products/support-center/readme.html#11016
Restart Required: Yes
Instructions:
1. Download SupportCenter Plus version 11016 or later from ManageEngine website. 2. Backup current installation. 3. Stop the SupportCenter Plus service. 4. Install the update. 5. Restart the service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound network access from SupportCenter Plus servers to only necessary services
Web Application Firewall
allConfigure WAF rules to block SSRF patterns in requests to ActionExecutor
🧯 If You Can't Patch
- Implement strict network egress filtering to limit what internal services the server can access
- Monitor for unusual outbound requests from SupportCenter Plus servers
🔍 How to Verify
Check if Vulnerable:
Check SupportCenter Plus version in admin interface or installation directoryCheck Version:
Check Admin → About in web interface or examine version files in installation directoryVerify Fix Applied:
Confirm version is 11016 or later and test SSRF attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from SupportCenter Plus server
- Requests to internal IP ranges or metadata services
Network Indicators:
- HTTP requests from SupportCenter Plus to unexpected internal destinations
- Patterns of requests to known SSRF targets
SIEM Query:
source="supportcenter-plus" AND (dest_ip=169.254.169.254 OR dest_ip=10.* OR dest_ip=192.168.* OR dest_ip=172.16.*)