ManageEngine recently patched a SQL injection vulnerability bug in their Password Manager Pro, PAM360, and Access Manager Plus products.
A remote attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges.
If the request is successful, the attacker will get access to the product’s web interface and will be able to run arbitrary SQL codes with System privileges in the database service’s security context.
A user with System privileges can add or edit a resource type in the products’ web interface, which will be submitted as an HTTP multipart or form-data request to the AddResourceType.ve endpoint.
Zoho ManageEngine Password Manager Pro through 12120 before 12121
Zoho ManageEngine Password Manager PAM360 through 5550 before 5600
Zoho ManageEngine Password Manager Access Manager Plus through 4304 before 4305
To determine whether CVE-2022-40300 has been exploited on your server, a detection device has to monitor the traffic on the vulnerable ports, as well as inspect HTTP POST requests to a Request-URI that contains the /AddResourceType.ve string.
Zero day initiatives have said ManageEngine patched this and other SQL injections in September. Interestingly, the patch for PAM360 came a day after the patches for Password Manager Pro and Access Manager Plus. The vendor offers no other workarounds. Applying these updates is the only way to fully protect yourself from these bugs.