CVE-2021-20110

Name of the Vulnerable Software and Affected Versions Manage Engine Asset Explorer Agent version 1.0.34

Description The issue is related to the Manage Engine Asset Explorer Agent not validating HTTPS certificates, allowing an attacker on the network to send a NEWSCAN request to a listening agent and receive the agent's HTTP request verifying its authtoken. This can lead to an Integer Overflow, which can be turned into a Heap Overflow, allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving a POST response from the Manage Engine server, and the agent calls HttpQueryInfoW to get the Content-Length size from the incoming POST request. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to a smaller integer, then calls calloc with this size to allocate memory. The following API InternetReadFile will copy the POST data into this buffer, which will be too small for the contents, and cause a heap overflow.

Recommendations As a temporary workaround, consider disabling the HttpQueryInfoW function until a patch is available. Restrict access to the httphandler.cpp module to minimize the risk of exploitation. Avoid using the Content-Length parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.