CVE-2021-20108

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed (due to authtoken validation), the Asset Explorer agent will reach out to the manage engine server for an HTTP request. During this process, AEAgent.cpp allocates 0x66 bytes using "malloc". This memory is never free-ed in the program, causing a memory leak. Additionally, the instruction sent to aeagent (ie: NEWSCAN, DELTASCAN, etc) is converted to a unicode string, but is never freed. These memory leaks allow a remote attacker to exploit a Denial of Service scenario through repetitively sending these commands to an agent and eventually crashing it the agent due to an out-of-memory condition.

Manage Engine Asset Explorer Agent versión 1.0.34, escucha en el puerto 9000 los comandos entrantes sobre HTTPS desde el Servidor de Manage Engine. Los certificados HTTPS no están comprobados, lo que permite a cualquier usuario arbitrario de la red enviar comandos a través del puerto 9000. Mientras que estos comandos no pueden ser ejecutados (debido a la comprobación de authtoken), el agente de Asset Explorer llegará al servidor del motor de administración para una petición HTTP. Durante este proceso, el archivo AEAgent.cpp asigna 0x66 bytes usando "malloc". Esta memoria nunca se libera en el programa, causando una pérdida de memoria. Adicionalmente, la instrucción enviada a aeagent (es decir, NEWSCAN, DELTASCAN, etc) es convertida en una cadena unicode, pero nunca se libera. Estas pérdidas de memoria permiten a un atacante remoto explotar un escenario de Denegación de Servicio mediante el envío repetitivo de estos comandos a un agente y eventualmente bloquearlo debido a una condición de falta de memoria

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-17 CVE Reserved
2021-07-19 CVE Published
2024-04-03 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (1)

URL	Tag	Source
https://www.tenable.com/security/research/tra-2021-29	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zohocorp Search vendor "Zohocorp"		Manageengine Assetexplorer Search vendor "Zohocorp" for product "Manageengine Assetexplorer"				1.0.34 Search vendor "Zohocorp" for product "Manageengine Assetexplorer" and version "1.0.34"		-		Affected