CVE-2022-28219: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

CVE-2022-28219 is an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability was discovered in March 2022 and fixed in build 7060 released on March 30, 2022. The vulnerability comprises several issues: untrusted Java deserialization, path traversal, and a blind XML External Entities (XXE) injection, affecting all versions of ADAudit Plus before build 7060 (Horizon3 Blog, ManageEngine Advisory).

The vulnerability consists of multiple components working together: an unauthenticated /cewolf endpoint that allows for Java deserialization and path traversal, and a blind XXE vulnerability in the ProcessTrackingListener class. The XXE vulnerability exists because the application uses the dangerous default version of Java's DocumentBuilderFactory class. The exploitation is particularly effective on systems running Java 8u051, which is bundled with ADAudit Plus by default. On these systems, the blind XXE can be used to exfiltrate files over FTP, get directory listings, and upload files (Horizon3 Blog).

The vulnerability allows unauthenticated attackers to achieve remote code execution on the affected systems. In cases where ADAudit Plus is configured with domain administrator credentials, which is common in real-world deployments, attackers can potentially compromise the entire Active Directory domain. The application's integration with Active Directory requires stored credentials, which can be accessed if the encryption is reversed, potentially exposing highly privileged accounts (Horizon3 Blog).

Organizations should upgrade to ADAudit Plus build 7060 or later, which fixes the vulnerability by removing the /cewolf endpoint altogether, using a secure version of DocumentBuilderFactory in the ProcessingTrackingListener class, and requiring authentication between agents and ADAudit Plus. Additionally, it is recommended to configure ADAudit Plus with a dedicated service account that has restricted privileges rather than using domain administrator credentials (ManageEngine Advisory).