# CVE-2022-47966 Scanner
CVE-2022-47966 is a critical unauthenticated remote code execution vulnerability affecting at least 24 on-premise ManageEngine products. The vulnerability applies only if SAML SSO is enabled. For some products it also applies if SAML SSO was previously enabled.
- CVE-2022-47966 was discoverd by [Khoadha of Viettel Cyber Security](https://twitter.com/_l0gg) and seems to have been patched in October 2022 for the affected products. The vulnerability resides in Apache Santuario, a third-party library used by all affected apps.
- However, ManageEngine only released a security advisory for this issue on January 10, 2023.
- On January 18, researchers at [@horizon3ai](https://github.com/horizon3ai) released a [technical deep dive](https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/) and a [PoC](https://github.com/horizon3ai/CVE-2022-47966) for this issue
- Since then, Rapid 7 (and others) have detected [exploitation of CVE-2022-47966 in the wild](https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/).
This script is a free scanner that can be used to scan a several (but not yet all) of the affected ManageEngine products for CVE-2022-47966.
- Clone the repo
git clone https://github.com/vonahisec/CVE-2022-47966-Scan.git
- Enter the created directory
- Install the dependencies with pip. Depending on your local python3 setup, the required commands will be either:
pip install -r requirements.txt
pip3 install -r requirements.txt
usage: cve_2022_47966_scan.py [-h] [-f FILE] [-t TARGETS] [-o OUTPUT_DIR]
Scan ManageEngine web instances for CVE-2022-47966
-h, --help show this help message and exit
-f FILE File containing a list of URLs to scan
-t TARGETS Comma-separated list of URLs to scan
-o OUTPUT_DIR Output directory
## Supported products
Currently, the following affected products are fully supported:
- ManageEngine ADAudit Plus
- ManageEngine ADManager Plus
- ManageEngine Asset Explorer
- ManageEngine Endpoint Central (this likely includes Endpoint Central MSP although that version has not been separately tested)
- ManageEngine PAM 360
- ManageEngine ServiceDesk Plus (this likely includes ServiceDesk Plus MSP although that version has not been separately tested)
- ManageEngine SupportCenter Plus
In addition, the following products are partially supported, which means the script will obtain the version but cannot check of SAML is
- ManageEngine Active Directory 360 (AD360)
- ManageEngine ADSelfService Plus
The following products are not supported:
- ManageEngine Access Manager Plus
- ManageEngine Analytics Plus
- ManageEngine Application Control Plus
- ManageEngine Browser Security Plus
- ManageEngine Device Control Plus
- ManageEngine Endpoint DLP
- ManageEngine Key Manager Plus
- ManageEngine OS Deployer
- ManageEngine Password Manager Pro
- ManageEngine Patch Manager Plus
- ManageEngine Remote Access Plus
- ManageEngine Remote Monitoring and Management (RMM)
- ManageEngine Vulnerability Manager Plus
Support for some of these products may be added in the near future, though it seems unlikely that this script will ever support all.
## Vulnerability statuses
- `vulnerable`: The target is not patched and has SAML enabled
- `potentially_vulnerable`: The target is not patched and:
- the script was not able to determine if SAML was enable
- or SAML was not found enabled but the target would still be vulnerable if SAML was ever enabled for it
- `not_patched`: The target is not patched but SAML is not enabled. This means the target is not currently vulnerable, but could be rendered vulnerable by enabling SAML.
- `likely_not_vulnerable`: The target does not seem vulnerable based on the performed checks.
- `unknown`: The vulnerability status could not be determined, most likely because the product version could not be obtained or was not recognized.
The script will generate a JSON file called
## Output files
- `cve_2022_47966_scan.json` - JSON file with the product name, version, SAML configuration status, vulnerability status and other relevant information for any systems that were recognized by the script.
- `cve_2022_47966_scan.txt` - Text file with a human-readable breakdown of the results. This is identical to the report being printed to the console (minus the ANSI colors)
- `cve_2022_47966_scan_unidentified.json` - JSON file with information on systems that could not be identified, but still seem worth reporting on because the strings `ManageEngine` and/or `manageengine` were found in the response body sent by the server.
- The script currently uses only the self-reported build version to determine if a certain app is not patched. However, the self-reported build versions may not always be fully accurate, but they seem to give a correct indication of patch status in most cases.
- The script checks for specific strings in the server response body to see if SAML is configured for a certain app. Again, this may not always be 100% accurate, although false positives here are unlikely.
- Due to the large number of affected products, the script has been tested against a limited number of systems for each product. This may result in incorrect results for product versions that deviate from those tested. For instance, we noticed during testing that different versions of the same product sometimes present the self-reported version number in a different manner. As a result, the scanner may sometimes fail to identify the version for a product that is supported. However, in that case the scanner will still report on identifying the product and being unable to identify the version.
- In general, false negatives seem more likely than false positives.
In an attempt to provide relatively complete results despite the limitations mentioned above, the script reports on all systems, even those found not to be vulnerable as well as web apps that could be ManageEngine products but were not recognized by the script.
## So how intrusive is this thing?
The scanner is super light. For most of the supported apps, the scanner performs exactly two HTTP requests:
- A GET request to the provided URL (which should be the base URL for the app)
- An POST request with an empty body to the SAML endpoint
For a few products, one additional GET request is performed to manually follow a redirect.
For some products, the POST request is not even performed.
Please refer to the official [ManageEngine security advisory](https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) for a full list of affected applications and the relevant patches.
## A note on support
This scanner is provided as is. PR's and issues are welcomed, and we hope to add support for additional targets in the near future. However, we cannot guarantee support for this tool.