Sign-up

ID

VAR-201906-1243


CVE

CVE-2019-12133


TITLE

plural Zoho ManageEngine Product permission vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-005620

DESCRIPTION

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. plural Zoho ManageEngine The product contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZOHO ManageEngine Desktop Central (DC) and so on are all products of ZOHO Company of the United States. ManageEngine Desktop Central is a desktop management solution. ZOHO ManageEngine ServiceDesk Plus is a set of IT service management software (ITSM) based on ITIL architecture. ZOHO ManageEngine EventLog Analyzer is a set of system and event log analysis software. There are authorization problem vulnerabilities in many ZOHO products. The vulnerability is caused by the program assigning incorrect permissions to the \\%SYSTEMDRIVE\\%ManageEngine directory and its subfolders

Trust: 1.71

sources: NVD: CVE-2019-12133 // JVNDB: JVNDB-2019-005620 // VULHUB: VHN-143849

AFFECTED PRODUCTS

vendor:zohocorpmodel:manageengine netflow analyzerscope:eqversion:11.0

Trust: 1.0

vendor:zohocorpmodel:manageengine patch manager plusscope:eqversion:9.0.0

Trust: 1.0

vendor:zohocorpmodel:manageengine network configuration managerscope:eqversion:11.0

Trust: 1.0

vendor:zohocorpmodel:manageengine o365 manager plusscope:eqversion:4.0

Trust: 1.0

vendor:zohocorpmodel:manageengine opmanagerscope:eqversion:12.3

Trust: 1.0

vendor:zohocorpmodel:manageengine password manager proscope:eqversion:9.9

Trust: 1.0

vendor:zohocorpmodel:manageengine vulnerability manager plusscope:eqversion:9.0.0

Trust: 1.0

vendor:zohocorpmodel:manageengine patch connect plusscope:eqversion:9.0.0

Trust: 1.0

vendor:zohocorpmodel:manageengine firewallscope:eqversion:12.0

Trust: 1.0

vendor:zohocorpmodel:manageengine oputilsscope:eqversion:11.0

Trust: 1.0

vendor:zohocorpmodel:manageengine desktop centralscope:eqversion:10.0.380

Trust: 1.0

vendor:zohocorpmodel:manageengine browser security plusscope:eqversion: -

Trust: 1.0

vendor:zohocorpmodel:manageengine analytics plusscope:eqversion:1.0

Trust: 1.0

vendor:zohocorpmodel:manageengine mobile device manager plusscope:eqversion:9.0.0

Trust: 1.0

vendor:zohocorpmodel:manageengine supportcenter plusscope:eqversion:8.1

Trust: 1.0

vendor:zohocorpmodel:manageengine eventlog analyzerscope:eqversion:12.0.2

Trust: 1.0

vendor:zohocorpmodel:manageengine servicedesk plusscope:eqversion:10.0.0

Trust: 1.0

vendor:zohocorpmodel:manageengine key manager plusscope:eqversion:5.6

Trust: 1.0

vendor:zohomodel:manageengine analytics plusscope:eqversion:1.0

Trust: 0.8

vendor:zohomodel:manageengine browser security plusscope: - version: -

Trust: 0.8

vendor:zohomodel:manageengine desktop centralscope:eqversion:10.0.380

Trust: 0.8

vendor:zohomodel:manageengine eventlog analyzerscope:eqversion:12.0.2

Trust: 0.8

vendor:zohomodel:manageengine firewallscope:eqversion:12.0

Trust: 0.8

vendor:zohomodel:manageengine key manager plusscope:eqversion:5.6

Trust: 0.8

vendor:zohomodel:manageengine mobile device manager plusscope:eqversion:9.0.0

Trust: 0.8

vendor:zohomodel:manageengine netflow analyzerscope:eqversion:11.0

Trust: 0.8

vendor:zohomodel:manageengine network configuration managerscope:eqversion:11.0

Trust: 0.8

vendor:zohomodel:manageengine o365 manager plusscope:eqversion:4.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-005620 // NVD: CVE-2019-12133

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12133
value: HIGH

Trust: 1.0

NVD: CVE-2019-12133
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-717
value: HIGH

Trust: 0.6

VULHUB: VHN-143849
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12133
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-143849
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12133
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-143849 // JVNDB: JVNDB-2019-005620 // CNNVD: CNNVD-201906-717 // NVD: CVE-2019-12133

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.1

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-275

Trust: 0.9

sources: VULHUB: VHN-143849 // JVNDB: JVNDB-2019-005620 // NVD: CVE-2019-12133

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201906-717

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201906-717

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005620

PATCH
title:Elevation of Privilegeurl:https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html
Trust: 0.8
title:Multiple ZOHO Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93902
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005620 // 
            
            
            
            CNNVD: CNNVD-201906-717

EXTERNAL IDS
db:NVDid:CVE-2019-12133
Trust: 2.5
db:JVNDBid:JVNDB-2019-005620
Trust: 0.8
db:CNNVDid:CNNVD-201906-717
Trust: 0.7
db:VULHUBid:VHN-143849
Trust: 0.1
sources:
            
            
            VULHUB: VHN-143849 // 
            
            
            
            JVNDB: JVNDB-2019-005620 // 
            
            
            
            CNNVD: CNNVD-201906-717 // 
            
            
            
            NVD: CVE-2019-12133

REFERENCES
url:https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html
Trust: 1.7
url:https://github.com/active-labs/advisories/blob/master/2019/active-2019-007.md
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12133
Trust: 1.4
url:https://github.com/active-labs/advisories/blob/master/active-2019-007.md
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12133
Trust: 0.8
sources:
            
            
            VULHUB: VHN-143849 // 
            
            
            
            JVNDB: JVNDB-2019-005620 // 
            
            
            
            CNNVD: CNNVD-201906-717 // 
            
            
            
            NVD: CVE-2019-12133

SOURCES
db:VULHUBid:VHN-143849
db:JVNDBid:JVNDB-2019-005620
db:CNNVDid:CNNVD-201906-717
db:NVDid:CVE-2019-12133

LAST UPDATE DATE
2024-11-23T23:08:23.088000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-143849date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-005620date:2019-06-25T00:00:00
db:CNNVDid:CNNVD-201906-717date:2020-08-25T00:00:00
db:NVDid:CVE-2019-12133date:2024-11-21T04:22:17.113

SOURCES RELEASE DATE
db:VULHUBid:VHN-143849date:2019-06-18T00:00:00
db:JVNDBid:JVNDB-2019-005620date:2019-06-25T00:00:00
db:CNNVDid:CNNVD-201906-717date:2019-06-18T00:00:00
db:NVDid:CVE-2019-12133date:2019-06-18T22:15:12.027