Heap Overflow Vulnerability in Asset Explorer Agent from SolarWinds
CVE-2021-20109

7.5HIGH

Key Information:

Vendor: Zohocorp
Status: Manage Engine Asset Explorer Agent
Vendor: CVE Published:; 19 July 2021

What is CVE-2021-20109?

The Asset Explorer agent suffers from a vulnerability due to insufficient validation of HTTPS certificates, allowing attackers on the local network to impersonate the Asset Explorer server. An attacker can statically configure their IP to match the server's; thereby manipulating communication with the agent. The exploitation occurs when a malicious actor sends a NEWSCAN request to a listening agent, which can lead to a heap overflow in the AEAgent.cpp source file. This happens if a POST payload response exceeds the 0x2000-byte buffer limit, as it is converted to Unicode without proper size checks, leading to potential denial of service or arbitrary code execution.

Affected Version(s)

Manage Engine Asset Explorer Agent 1.0.34

References

https://www.tenable.com/security/research/tra-2021-30

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2021
Vulnerability Reserved
Dec 17, 2020

Zohocorp

What is CVE-2021-20109?

Affected Version(s)

References

CVSS V3.1

Timeline