An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication.
Recent assessments:
wvu-r7 at October 06, 2020 4:38pm UTC reported:
CVE-2020-15589 and CVE-2020-24397 are grouped together with this.
I want to clarify that these are client-side vulnerabilities in ManageEngine Desktop Central. Exploiting them will certainly require MITM or other control of the network.
Details and a PoC are available, so patch this immediately. Desktop Central is UEM software, and while this is a set of client-side vulns, you donβt want attackers taking advantage of such critical software.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 1