RULE(RULE ID:321595)

Rule General Information
Release Date: 2018-10-15
Rule Name: Zoho ManageEngine OpManager oputilsServlet Authentication Bypass Vulnerability -1 (CVE-2018-17283)
Severity:
CVE ID:
Rule Protection Details
Description: Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
Impact: This issue affects an unknown function of the file /oputilsServlet. The manipulation of the argument action with the input value getAPIKey leads to a privilege escalation vulnerability.
Affected OS: Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android
Reference: https://vuldb.com/?id.124337
https://github.com/x-f1v3/ForCve/issues/4
https://www.manageengine.com/network-monitoring/help/read-me.html
Solutions
Upgrading to version 12.3 Build 123196 eliminates this vulnerability.