If left unaddressed, the vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application, Digital Defense asserts. The affected applications include popular platforms within the MSP and corporate IT management ecosystems -- particularly ServiceDesk Plus, ServiceDesk Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer, Digital Defense indicates.
Zoho ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications. Moreover, Digital Defense’s Frontline Vulnerability Manager includes checks for the flaws.
MSP Software: Under the Security Microscope
This is the latest in a growing list of vulnerability concerns related to MSP-oriented software. Earlier this week, Kaseya patched a vulnerability in its flagship VSA software platform for MSPs. Without the patch in place, Monero cryptocurrency mining software potentially could be deployed to endpoints. As of January 29, Kaseya estimated that fewer than 0.1 percent (less than one tenth of one percent) of its customers were affected by this issue.
Hackers, meanwhile, take aim at MSP-oriented software because the platforms can be transformed into Trojan Horses that gain entry into thousands -- perhaps millions -- of unsuspecting small, midsize and enterprise customer networks.
In one of the higher profile attacks, a hacker group called APT10 compromised and infiltrated MSP networks to access end-customer systems in 2016 and perhaps 2017, according to a 25-page PwC UK and BAE Systems report that surfaced in 2017. Those hacks, collectively dubbed Operation Cloud Hopper, may date back to 2014 or so, the report suggests.
Meanwhile, high-profile MSSPs themselves have increasingly stumbled with basic security steps in recent months. For instance, multiple companies on the Top 100 MSSPs list for 2017 left business and/or customer data wide open on Amazon Web Services (AWS) due to user error and cloud misconfigurations.