Mender blog

CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.

Mender Enterprise comes with a system for role based access control (RBAC), and default roles for administrators, read-only users, etc. Low-privileged roles are commonly used as part of a principle of least privilege approach, when granting a larger group of users access to the system in a limited manner. We've discovered some cases where these low-privileged users (with default roles) had access to do more than they should be able to. Even though we haven't seen any abuse of this, we take the cautious approach, fixing the issues (by further limiting access) and transparently publicizing information about these issues as vulnerabilities (CVEs), since they could be used maliciously or lead to unintended situations.

CVE-2022-41324 — Read-only API access can leak secrets

The default role, Read Access, granted access to read device configuration data, including data used for the cloud integration feature, which may include secret strings / credentials. Even though this access is technically read only, access to potential sensitive device information is not necessary, and was not clearly communicated in the UI nor documentation. Thus the Read Access role may not have been giving the security guarantees the user expected. In general, this low-privileged role should not be able to read all data, only the devices they have access to and only the type of data and functionality which is necessary for a typical limited access user (such as device inventory information).

Impact

If an attacker gained control over a low-privileged user (which has the default Read Access role), they could read some sensitive device information, such as credentials / secrets used in the configure / cloud integration feature (if any). Organizations which instead of using the default roles, use custom roles which specify the exact permissions they would like to grant are not affected by this issue.

Fix

To fix this issue, we have further restricted what the default Read Access role has access to. The issue was fixed in versions 3.4.0 and 3.3.2, and has been applied to hosted Mender. In the new versions, all existing users with this default role are no longer affected by this issue. We recommend upgrading to 3.3.2 or 3.4.0 to fix the issue.

CVE-2022-45929 — Low-privileged users can edit their own roles

The API endpoint /api/management/v1/useradm/users/me allows users to edit their own settings, such as email, password, 2-factor authentication, etc. Through the HTTP PUT method, it was possible to edit more fields than intended, notably a low-privileged user could change their own role using this API.

Impact

If discovered, an attacker with access to a low-privileged user could use this vulnerability to edit that user and become an administrator (privilege escalation).

Fix

The issue was fixed in versions 3.5.0 / 3.6.0 and 3.3.2, and has been applied to hosted Mender. We recommend upgrading to 3.3.2 or 3.6.0 to fix the issue.

Contact

If you have any further questions about these issues, how to upgrade, or mitigate them, please contact our support team:

https://support.northern.tech

To contact our security team, for example if you believe you've found a security issue / vulnerability, see our security.txt file for more information.

Recent articles

How OTA updates enhance software-defined vehicles

How OTA updates enhance software-defined vehicles

Discover how OTA updates enhance software-defined vehicles by improving safety, reducing recalls, and delivering benefit to producers and consumers.
Enhancing maritime security and connectivity: The critical role of OTA updates in fleet management

Enhancing maritime security and connectivity: The critical role of OTA updates in fleet management

Explore the critical role of OTA updates in maritime fleet management, ensuring enhanced security, performance, and continuous connectivity across vessels.
How to leverage over-the-air (OTA) updates for NVIDIA Jetson Platform Services

How to leverage over-the-air (OTA) updates for NVIDIA Jetson Platform Services

To enable software installation, updates, management, and support across the Jetson device fleet and at scale – Mender, in collaboration with NVIDIA, published three critical use cases for NVIDIA developers.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365