Linux - Security - Mitigate CVE-2022-47966

What the CVE-2022-47966 ManageEngine mitigation Worklet does

This Automox Worklet™ stages emergency firewall containment for CVE-2022-47966, the unauthenticated remote code execution flaw in the bundled Apache Santuario (xmlsec) XML signature library used by ManageEngine ServiceDesk Plus, Endpoint Central, ADSelfService Plus, Password Manager Pro, AccessManager Plus, and 19 other ManageEngine products. Vulnerable builds use an Apache Santuario version that fails to validate the XML signature on SAML SSO responses, letting an unauthenticated attacker post a crafted SAML response to execute arbitrary code as the ManageEngine service account.

The Worklet detects which firewall is present on the Linux endpoint (iptables or firewalld), creates a dedicated chain or zone named AX_CVE-2022-47966, adds DROP or reject rules for inbound TCP 80 and 443, and adds reject rules for 15 attacker IP addresses listed in CISA advisory AA23-250A. The Worklet reads a user variable named revert at run time, so setting revert=true and rerunning the Worklet removes the chain or zone once you have applied the vendor patch.

Run this Worklet on demand from the device page, the Run Policy menu, or FixNow. The evaluation script returns exit 0 by design, which keeps the Worklet from being scheduled like a routine policy and surprising a production web server with a blocked port 80.

Why mitigate CVE-2022-47966 at the firewall

CVE-2022-47966 carries a CVSS 9.8 rating and was added to the CISA Known Exploited Vulnerabilities catalog in January 2023. CISA, the FBI, and Cyber National Mission Force jointly documented APT activity (advisory AA23-250A) in which threat actors chained CVE-2022-47966 with the FortiOS CVE-2022-42475 SSL VPN flaw to compromise an aeronautical sector organization. From there, the actors deployed web shells under the ManageEngine ServiceDesk Plus directory, established persistence, harvested credentials with Mimikatz, and moved laterally. The bug sits in the SAML SSO handler, so any internet-facing ManageEngine instance with SSO enabled is a viable initial-access target.

The vendor fix is the patch list published by Zoho: ServiceDesk Plus 14004 and later, Endpoint Central 10.1.2228.11 and later, ADSelfService Plus 6121 and later, and the equivalent build floors for the remaining 21 affected products. Patching takes a maintenance window, an account with database privileges, and an upgrade test. Firewall containment buys you that window.

How the CVE-2022-47966 firewall containment works

1. Evaluation phase: Returns exit 0 unconditionally. The evaluation script is intentionally a no-op so the policy does not auto-schedule remediation on every fleet member. You run the Worklet against a chosen Linux endpoint via the device page, the Run Policy menu, or a FixNow targeting only the vulnerable ManageEngine servers.

2. Remediation phase: Calls id_firewall to find iptables or firewalld with which. For firewalld, runs firewall-cmd --permanent --new-zone=AX_CVE-2022-47966, then --add-port=80/tcp, --add-port=443/tcp, and a rich-rule reject for each of the 15 attacker IPs, then firewall-cmd --reload. For iptables, creates the AX_CVE-2022-47966 chain with iptables -N, appends DROP rules for destination ports 80 and 443, and DROP rules for each of the 15 source IPs. Setting revert=true runs firewall-cmd --permanent --delete-zone or iptables -F AX_CVE-2022-47966 to undo the changes.

CVE-2022-47966 mitigation requirements

• Linux endpoint running a vulnerable Zoho ManageEngine product (ServiceDesk Plus < 14004, Endpoint Central < 10.1.2228.11, ADSelfService Plus < 6121, Password Manager Pro < 12101, AccessManager Plus < 4308, or one of the 19 other affected builds)

• iptables or firewalld installed and on the path (the script uses which iptables or which firewalld to detect)

• Root or sudo privileges for the Automox agent (the default agent context already meets this)

• Manual execution via the device page, Run Policy menu, or FixNow; do not assign the Worklet to a scheduled policy

• Acceptance that inbound TCP 80 and 443 will drop for every protocol on the endpoint, not only the ManageEngine ports (apply only to dedicated ManageEngine hosts, not shared web servers)

• A planned follow-up policy to deploy the Zoho patched build (ServiceDesk Plus 14004+, Endpoint Central 10.1.2228.11+) and a separate Worklet run with revert=true to remove the temporary chain or zone

Expected firewall state after CVE-2022-47966 mitigation

On a firewalld endpoint, a permanent zone named AX_CVE-2022-47966 is present after the reload, with ports 80/tcp and 443/tcp listed and 15 rich-rule rejects for the CISA-published attacker IPs (192.142.226.153, 144.202.2.71, 207.246.105.240, 45.77.121.232, 47.90.240.218, 45.90.123.194, 154.6.91.26, 154.6.93.22, 154.6.93.5, 154.6.93.12, 154.6.93.32, 154.6.93.24, 184.170.241.27, 191.96.106.40, 102.129.145.232). On an iptables endpoint, the AX_CVE-2022-47966 chain holds two destination-port DROP rules and 15 source-address DROP rules in the order the script appended them.

Verify the rules landed with firewall-cmd --info-zone=AX_CVE-2022-47966 or iptables -L AX_CVE-2022-47966 -n -v. The Automox Activity Log for the policy run captures the per-IP block lines printed by the script. Note that the script creates a chain or zone but does not bind it to an interface or jump to it from the INPUT chain, so you may need to attach the zone to your active network interface (firewall-cmd --zone=AX_CVE-2022-47966 --change-interface=eth0 --permanent) or add an INPUT jump (iptables -I INPUT -j AX_CVE-2022-47966) for the rules to take effect. After you deploy the vendor patch (Zoho's ServiceDesk Plus 14004 or the equivalent fixed build), rerun the Worklet with revert=true in the user variables block at the top of the remediation script; the script then deletes the zone or flushes the chain and the endpoint returns to its previous inbound policy.