ManageEngine have released an important security update for Desktop Central and Mobile Device Manager Plus which addresses a file upload vulnerability. Read on for more details.

Issue: Arbitrary File Upload Vulnerability

What is the issue?

Desktop Central and Mobile Device Manager Plus allow users to upload Windows app dependency files in a ZIP format on to the product server.

Older builds had a vulnerability that allowed malicious users to upload a specially crafted ZIP file without proper validation, allowing them to potentially save files in any location

Who is affected?

Users running any of the below versions are at risk of exploitation:

ProductAffected Build Versions
Desktop CentralBelow build 100482
Desktop Central MSPBelow build 100482
Mobile Device Manager PlusBetween builds 92343 (released on May 16, 2018) and 92788 (released on March 22, 2020)
Mobile Device Manager Plus MSPbetween builds 92343 (released on May 16, 2018) and 92788 (released on March 22, 2020)

How severe is this vulnerability?

The CVSS categorisation of the vulnerability is High.

To exploit this vulnerability, the user must authenticate themselves
by logging in to the product console. They also need permissions
to add apps to the App Repository. These two prerequisites reduce
the chance of someone exploiting this vulnerability.

What steps did the team take to mitigate this vulnerability?

The fix for this vulnerability was released in build number 100482
for Desktop Central and Desktop Central MSP, and build number 92789 for Mobile Device Manager Plus and Mobile Device Manager
Plus MSP.

The following steps were taken:

  1. All the uploaded ZIP files were validated, and any files with
    path traversal capabilities were removed.
  2. Only the required files were extracted instead of the entire
    ZIP file. Before extraction, all file extensions and content
    were verified, and only files required for the particular function
    were extracted.

How can you fix this issue?

Desktop Central and Desktop Central MSP customers are requested
to upgrade to the latest build.

Important note: before upgrading please take all possible forms of backup.

Follow the steps below to upgrade:

1. Log in to the product console. In the top-right corner, click the
    build number.

2. Upon clicking your current build version, you will be able to find
    the latest build that’s applicable to your network.

3. Download the available PPM and upgrade to the latest build.

Mobile Device Manager Plus customers and Mobile Device
Manager Plus MSP
 customers are requested to upgrade to
the latest build available at the following links:

Mobile Device Manager Plus

Mobile Device Manager Plus MSP 

As a preventive measure, we also recommend you change the
default login credentials of your product server. 

Desktop Central customers can change the default login credentials by clicking
on the user profile in the top-right corner and selecting Personalise. Then select Change password and provide a new password.

Mobile Device Manager Plus customers can change it by
navigating to Admin > Personalize > Change Password.

Please contact us here for more information, with any questions, or for any help updating your applications.

Build ReleaseDesktop Mobile

Take the next step

We'll accelerate your ManageEngine experience

Get In Touch

You may be interested in these other recent articles

18 Feb

ManageEngine’s IAM and Cybersecurity On-Demand Events Hub

18 February 2022 | Joshua Ball

Watch webinars on demand and listen to podcasts at your convenience. ManageEngine has launched their IAM and Cybersecurity on-demand events hub, a one-stop shop for on-demand webinars and podcasts. At the on-demand events hub, you’ll find:   Carefully curated on-demand webinars from seven unique categories. Over 40 podcast episodes (and counting) on IAM and cybersecurity from three different podcast shows. ​ The webinars and podcasts are regularly updated, so watch this space to ensure you don’t miss out on the latest episodes!​​ Sign up today by clicking here. To find out more…

Read more
8 Sep

ManageEngine positioned in the Gartner® Magic Quadrant™ for ITSM Tools for the second consecutive year

8 September 2021 | Nigel Arnold

The 2021 Gartner® Magic Quadrant™ for IT Service Management Tools is out, and ManageEngine has been included in this year’s report. This is the second…

Read more
26 Jan

Cybersecurity Webinar Series – February 2021

26 January 2021 | Joshua Ball

IT Security Under Attack Join ManageEngine on a three day webinar series, where they will expose and explore the various tactics threat-actors use to intrude…

Read more

Take the next step

We'll accelerate your ManageEngine experience

Get In Touch