“ZENworks Asset Manager is a Web-based management console that integrates asset inventory, software usage, software management and contract management,” writes Threatpost’s Brian Donohue. “Users can also access network device data and edit information through the console.”
“Vazquez … explains that the web console of ZENworks Asset Management provides two maintenance calls that can be used with hard-coded credentials,” The H Security reports. “One of the calls allows remote attackers to gain access to the filesystem, while the other call gives details of the software’s backend database credentials in clear text. Vazquez discovered the vulnerability in August and immediately wrote a Metasploit module to exploit it.”
“We are currently unaware of a practical solution to this problem,” the United States Computer Emergency Readiness Team (US-CERT) states.