ManageEngine Patch Released, But Apache Santuario Users Could Still Be At Risk

CVE-2022-47966: What happened

On January 11, Zoho, the company behind multiple ManageEngine products, released a security advisory describing a remote code execution (RCE) vulnerability affecting 24 ManageEngine products. The vulnerability is exploitable only when SAML Single Sign-on (SSO) is or was enabled in the ManageEngine setup.

What stood out immediately in the initial security advisory was that the vulnerability was “due to the usage of an outdated third party dependency, Apache Santuario.” Although no further details were included, it was a hint worth evaluating: If the root cause is in a third-party library, specifically Apache Santuario, this could also affect other products using this library.

Updated ManageEngine versions have been released since October 27, 2022. This suggests that an Apache Santuario release around that time likely included the fix. However, none of the recent Apache Santuario release notes or their security advisories indicated a vulnerability fix with a code execution impact—meaning that organizations may still be at-risk.

The devil is in the details

Further information and analysis about the vulnerability was published on January 19, 2023 by Viettel Cyber Security, who identified the vulnerability and coordinated the disclosure. Another analysis published by Horizon3.ai included information that the outdated version of Apache Santuario (1.4.1) is over 10 years old (released around September 2010). The importance of updating third-party libraries has been discussed for a long time, so it is quite surprising to see such an old artifact in current products. In particular, multiple vulnerabilities have been reported and addressed in more recent versions. However, none of them suggested code execution as an impact.

Therefore, where is the root cause? The vulnerability exploited in ManageEngine products occurs during the signature validation process when handling SAML responses. Using XSLT transformation, a remote attacker is able to load arbitrary Java classes and execute arbitrary code. In case an old Xalan version affected by CVE-2014-0107 is present in the classpath, code execution can be achieved in a reliable manner.

Successful exploitation of this vulnerability depends on how XML signatures are processed and how the application uses Apache Santuario. In the case of the ManageEngine product line, usage of the very outdated Santuario version led to remote code execution. And the exploit was reliable since the Xalan dependency in the old version included another vulnerability from 2014.

Apache Santuario has updated the Xalan dependency from 2.7.1 to 2.7.2 with version 2.0.2 on September 22, 2014. And XSLT transformation can be prevented by enabling ‘secure validation’ in Apache Santuario, which disallows XSLT transforms. However, this configuration is not enabled by default prior to version 2.3.0 and the security implications are not clearly communicated in the Apache Santuario documentation.

It is important to stress that other products may be vulnerable if they still use old Santuario versions lower than 2.3.0, or if they have not enabled the ‘secure validation’ feature. However, depending on the used version, the impact may differ. Even though ManageEngine products are currently being attacked and making headlines, it is key for security teams to know how this happened and why, so that they can read between the lines and protect any other potentially affected assets. Unfortunately, it feels like critical changes to Apache Santuario have not been sufficiently communicated.

This is a prime example why keeping third-party libraries up-to-date is crucial to maintaining security hygiene. Usage of a more recent version of Apache Santuario that also addresses known vulnerabilities in the product could have mitigated exploitation in ManageEngine significantly. The combination of this exceptionally old library, which by itself has a vulnerable dependency and insecure defaults, turned out to be fatal for some ManageEngine customers.

Manage vulnerabilities with Flashpoint

Organizations have even less time than before to respond to critical issues. To better protect your network, enterprises need to proactively manage risk in a timely manner. Sign up for a free trial and see how quality intelligence empowers a vulnerability risk management program, allowing your security teams to prioritize and remediate what really matters.