CVE-2021-20108

Name of the Vulnerable Software and Affected Versions Manage Engine Asset Explorer Agent version 1.0.34

Description The issue is related to a memory leak in the Manage Engine Asset Explorer Agent. The agent listens on port 9000 for incoming commands over HTTPS from the Manage Engine Server, but it does not verify HTTPS certificates, allowing any user on the network to send commands. Although these commands may not be executed due to authtoken validation, the agent will still reach out to the Manage Engine server for an HTTP request. During this process, the program allocates memory using malloc but never frees it, causing a memory leak. Additionally, the instruction sent to the agent is converted to a unicode string but is never freed. This allows a remote attacker to exploit a Denial of Service scenario by repeatedly sending commands to the agent, eventually crashing it due to an out-of-memory condition.

Recommendations For Manage Engine Asset Explorer Agent version 1.0.34, consider disabling the agent's ability to listen on port 9000 until a patch is available. As a temporary workaround, restrict access to the agent to minimize the risk of exploitation. Avoid sending repetitive commands to the agent to prevent the out-of-memory condition. At the moment, there is no information about a newer version that contains a fix for this vulnerability.