Vulnerability Details : CVE-2019-12133
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.
Vulnerability category: Gain privilege
Products affected by CVE-2019-12133
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:12.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_desktop_central:10.0.380:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_opmanager:12.3:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_password_manager_pro:9.9:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_analytics_plus:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_browser_security_plus:-:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_firewall:12.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_key_manager_plus:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_mobile_device_manager_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_network_configuration_manager:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_o365_manager_plus:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_oputils:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_patch_connect_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_patch_manager_plus:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_vulnerability_manager_plus:9.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12133
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12133
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-12133
-
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Assigned by: nvd@nist.gov (Primary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12133
-
https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md
Advisories/ACTIVE-2019-007.md at master · active-labs/Advisories · GitHub
-
https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html
Security Updates on Vulnerabilities - Elevation of PrevilegeVendor Advisory
Jump to