How to remediate – ManageEngine NCM < 12.5.465 SQLi

1. Introduction

2. Technical Explanation

A SQL injection vulnerability exists within the configuration search functionality of ManageEngine NCM prior to version 12.5.465. This is due to insufficient input validation when processing user-supplied data in this feature. An attacker can inject malicious SQL code into the application, which will be executed by the database server. Nessus has relied on self-reported version numbers for detection of this issue.

• Root cause: Missing or inadequate input validation within the configuration search functionality allows unfiltered user data to be passed directly to the SQL query.
• Exploit mechanism: An attacker crafts a malicious request containing SQL code in the configuration search parameters, which is then executed by the database server. For example, an attacker could use a crafted URL parameter to bypass authentication or retrieve sensitive data from other tables.
• Scope: ManageEngine NCM versions prior to 12.5.465 are affected.

3. Detection and Assessment

To confirm if your system is vulnerable, check the installed version of ManageEngine NCM. A thorough assessment involves reviewing application logs for suspicious activity related to configuration searches.

• Quick checks: Check the product version via the web interface (typically found in Help > About).
• Scanning: Nessus vulnerability ID 65feb052 can be used as an example, but relies on self-reported version numbers.
• Logs and evidence: Review application logs for unusual SQL queries or errors related to configuration searches. Specific log paths will vary depending on the NCM installation.

# Example command placeholder:
# No specific command available; check product UI as described above.

4. Solution / Remediation Steps

Apply the latest patch or upgrade to a non-vulnerable version of ManageEngine NCM. Follow these steps to fix the issue.

4.1 Preparation

• Ensure you have downloaded the correct patch or upgrade package from the vendor’s website. A roll back plan involves restoring the backed-up database and configuration files.
• A change window may be required, depending on your environment. Approval from relevant stakeholders may also be needed.

4.2 Implementation

1. Step 1: Download ManageEngine NCM version 12.5.465 or later from the vendor’s website.
2. Step 2: Stop the ManageEngine NCM service.
3. Step 3: Install the downloaded patch or upgrade package following the vendor’s instructions.
4. Step 4: Start the ManageEngine NCM service.

4.3 Config or Code Example

Before

# No specific configuration example available, as this is an application-level vulnerability requiring patching.  The root cause is insufficient input validation in the code.

After

# After applying the patch, the application will include proper input validation to prevent SQL injection attacks. No specific configuration change is required.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate this type of vulnerability. Least privilege reduces impact if exploited. Input validation blocks unsafe data, preventing malicious code from being executed. Patch cadence ensures timely application of security updates.

• Practice 1: Implement the principle of least privilege to limit the potential damage caused by a successful SQL injection attack.
• Practice 2: Enforce strict input validation on all user-supplied data to prevent malicious code from being injected into the system.

4.5 Automation (Optional)

No specific automation script is provided, as this vulnerability requires a full application patch or upgrade.

# No applicable script available for this vulnerability type.

5. Verification / Validation

Confirm the fix by verifying the updated version of ManageEngine NCM and re-testing the configuration search functionality. Perform a simple service smoke test to ensure core features remain operational.

• Post-fix check: Check the product version via the web interface (Help > About) to confirm it is 12.5.465 or later.
• Re-test: Run Nessus vulnerability ID 65feb052 again; it should no longer report the vulnerability.
• Smoke test: Verify that users can still log in and perform basic configuration searches without errors.
• Monitoring: Monitor application logs for any unusual SQL queries or errors related to configuration searches as an example of regression detection.

# Post-fix command and expected output:
# Product version should display 12.5.465 or higher.

6. Preventive Measures and Monitoring

Update security baselines to include the latest patch level for ManageEngine NCM. Add checks in CI/CD pipelines to prevent deployment of vulnerable versions. Implement a regular patch review cycle that fits your risk profile.

• Baselines: Update your security baseline or policy to require version 12.5.465 or later of ManageEngine NCM.
• Pipelines: Add checks in your CI/CD pipeline to scan for known vulnerabilities, including this SQL injection issue.
• Asset and patch process: Establish a sensible patch or configuration review cycle (e.g., monthly) to ensure timely application of security updates.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Patching may cause temporary service disruption. Mitigate by scheduling during a maintenance window.
• Risk or side effect 2: Compatibility issues with other integrated systems are possible. Test in a non-production environment first.
• Roll back: 1) Stop the ManageEngine NCM service. 2) Restore the backed-up database and configuration files. 3) Start the ManageEngine NCM service.

8. References and Resources

• Vendor advisory or bulletin: http://www.nessus.org/u?65feb052
• NVD or CVE entry: CVE-2021-41081
• Product or platform documentation relevant to the fix: No specific link available. Refer to ManageEngine NCM release notes for version 12.5.465.