CVE-2021-20110

{"id": "CVE-2021-20110", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-07-19T15:15:07.703", "references": [{"url": "https://www.tenable.com/security/research/tra-2021-31", "tags": ["Third Party Advisory"], "source": "vulnreport@tenable.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling \"HttpQueryInfoW\" in order to get the \"Content-Length\" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls \"calloc\" with this size to allocate memory. The following API \"InternetReadFile\" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow."}, {"lang": "es", "value": "Debido a que Manage Engine Asset Explorer Agent versi\u00f3n 1.0.34, no comprueba los certificados HTTPS, un atacante en la red puede configurar est\u00e1ticamente su direcci\u00f3n IP para que coincida con la direcci\u00f3n IP del servidor de Asset Explorer. Esto permitir\u00e1 a un atacante enviar una petici\u00f3n NEWSCAN a un agente de escucha en la red, as\u00ed como recibir la petici\u00f3n HTTP del agente comprobando su authtoken. En el archivo httphandler.cpp, el agente que llega a trav\u00e9s de HTTP es vulnerable a un Desbordamiento de Enteros, que puede convertirse en un Desbordamiento de Pila que permite la ejecuci\u00f3n de c\u00f3digo remota como NT AUTHORITY/SYSTEM en la m\u00e1quina del agente. El Desbordamiento de Enteros ocurre cuando se recibe la respuesta POST del servidor Manage Engine, y el agente llama a \"HttpQueryInfoW\" para obtener el tama\u00f1o \"Content-Length\" de la petici\u00f3n POST entrante. Este tama\u00f1o es tomado, pero multiplicado a una cantidad mayor. Si un atacante especifica un tama\u00f1o de Content-Length de 1073741823 o mayor, esta aritm\u00e9tica de enteros envolver\u00e1 el valor de vuelta a un entero m\u00e1s peque\u00f1o, y luego llama a \"calloc\" con este tama\u00f1o para asignar memoria. La siguiente API \"InternetReadFile\" copiar\u00e1 los datos de POST en este b\u00fafer, que ser\u00e1 demasiado peque\u00f1o para el contenido, y causar\u00e1 un desbordamiento de pila"}], "lastModified": "2022-06-28T14:11:45.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_assetexplorer:1.0.34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2ED9862E-512A-4A1A-98F7-845ED9A62C44"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}