Skip to content

Python scanner for CVE-2022-47966. Supports ~10 of the 24 affected products.

Notifications You must be signed in to change notification settings

vonahisec/CVE-2022-47966-Scan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2022-47966 Scanner

About

CVE-2022-47966 is a critical unauthenticated remote code execution vulnerability affecting at least 24 on-premise ManageEngine products. The vulnerability applies only if SAML SSO is enabled. For some products it also applies if SAML SSO was previously enabled.

Timeline

This script is a free scanner that can be used to scan a several (but not yet all) of the affected ManageEngine products for CVE-2022-47966.

Installation

  • Clone the repo
git clone https://github.com/vonahisec/CVE-2022-47966-Scan.git
  • Enter the created directory
cd CVE-2022-47966-Scan
  • Install the dependencies with pip. Depending on your local python3 setup, the required commands will be either:
pip install -r requirements.txt

or:

pip3 install -r requirements.txt

Usage

usage: cve_2022_47966_scan.py [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]

Scan ManageEngine web instances for CVE-2022-47966

options:
  -h, --help     show this help message and exit
  -f FILE        File containing a list of URLs to scan
  -t TARGETS     Comma-separated list of URLs to scan
  -o OUTPUT_DIR  Output directory

Supported products

Currently, the following affected products are fully supported:

  • ManageEngine ADAudit Plus
  • ManageEngine ADManager Plus
  • ManageEngine Asset Explorer
  • ManageEngine Endpoint Central (this likely includes Endpoint Central MSP although that version has not been separately tested)
  • ManageEngine PAM 360
  • ManageEngine ServiceDesk Plus (this likely includes ServiceDesk Plus MSP although that version has not been separately tested)
  • ManageEngine SupportCenter Plus

In addition, the following products are partially supported, which means the script will obtain the version but cannot check of SAML is

  • ManageEngine Active Directory 360 (AD360)
  • ManageEngine ADSelfService Plus

The following products are not supported:

  • ManageEngine Access Manager Plus
  • ManageEngine Analytics Plus
  • ManageEngine Application Control Plus
  • ManageEngine Browser Security Plus
  • ManageEngine Device Control Plus
  • ManageEngine Endpoint DLP
  • ManageEngine Key Manager Plus
  • ManageEngine OS Deployer
  • ManageEngine Password Manager Pro
  • ManageEngine Patch Manager Plus
  • ManageEngine Remote Access Plus
  • ManageEngine Remote Monitoring and Management (RMM)
  • ManageEngine Vulnerability Manager Plus

Support for some of these products may be added in the near future, though it seems unlikely that this script will ever support all.

Vulnerability statuses

  • vulnerable: The target is not patched and has SAML enabled
  • potentially_vulnerable: The target is not patched and:
    • the script was not able to determine if SAML was enable
    • or SAML was not found enabled but the target would still be vulnerable if SAML was ever enabled for it
  • not_patched: The target is not patched but SAML is not enabled. This means the target is not currently vulnerable, but could be rendered vulnerable by enabling SAML.
  • likely_not_vulnerable: The target does not seem vulnerable based on the performed checks.
  • unknown: The vulnerability status could not be determined, most likely because the product version could not be obtained or was not recognized. The script will generate a JSON file called

Output files

  • cve_2022_47966_scan.json - JSON file with the product name, version, SAML configuration status, vulnerability status and other relevant information for any systems that were recognized by the script.
  • cve_2022_47966_scan.txt - Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors)
  • cve_2022_47966_scan_unidentified.json - JSON file with information on systems that could not be identified, but still seem worth reporting on because the strings ManageEngine and/or manageengine were found in the response body sent by the server.

Caveats

  • The script currently uses only the self-reported build version to determine if a certain app is not patched. However, the self-reported build versions may not always be fully accurate, but they seem to give a correct indication of patch status in most cases.
  • The script checks for specific strings in the server response body to see if SAML is configured for a certain app. Again, this may not always be 100% accurate, although false positives here are unlikely.
  • Due to the large number of affected products, the script has been tested against a limited number of systems for each product. This may result in incorrect results for product versions that deviate from those tested. For instance, we noticed during testing that different versions of the same product sometimes present the self-reported version number in a different manner. As a result, the scanner may sometimes fail to identify the version for a product that is supported. However, in that case the scanner will still report on identifying the product and being unable to identify the version.
  • In general, false negatives seem more likely than false positives.

In an attempt to provide relatively complete results despite the limitations mentioned above, the script reports on all systems, even those found not to be vulnerable as well as web apps that could be ManageEngine products but were not recognized by the script.

So how intrusive is this thing?

The scanner is super light. For most of the supported apps, the scanner performs exactly two HTTP requests:

  • A GET request to the provided URL (which should be the base URL for the app)
  • An POST request with an empty body to the SAML endpoint

For a few products, one additional GET request is performed to manually follow a redirect. For some products, the POST request is not even performed.

Patching

Please refer to the official ManageEngine security advisory for a full list of affected applications and the relevant patches.

A note on support

This scanner is provided as is. PR's and issues are welcomed, and we hope to add support for additional targets in the near future. However, we cannot guarantee support for this tool.

Releases

No releases published

Packages

No packages published

Languages