Mender blog

CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.

Mender Enterprise comes with a system for role based access control (RBAC), and default roles for administrators, read-only users, etc. Low-privileged roles are commonly used as part of a principle of least privilege approach, when granting a larger group of users access to the system in a limited manner. We've discovered some cases where these low-privileged users (with default roles) had access to do more than they should be able to. Even though we haven't seen any abuse of this, we take the cautious approach, fixing the issues (by further limiting access) and transparently publicizing information about these issues as vulnerabilities (CVEs), since they could be used maliciously or lead to unintended situations.

CVE-2022-41324 — Read-only API access can leak secrets

The default role, Read Access, granted access to read device configuration data, including data used for the cloud integration feature, which may include secret strings / credentials. Even though this access is technically read only, access to potential sensitive device information is not necessary, and was not clearly communicated in the UI nor documentation. Thus the Read Access role may not have been giving the security guarantees the user expected. In general, this low-privileged role should not be able to read all data, only the devices they have access to and only the type of data and functionality which is necessary for a typical limited access user (such as device inventory information).

Impact

If an attacker gained control over a low-privileged user (which has the default Read Access role), they could read some sensitive device information, such as credentials / secrets used in the configure / cloud integration feature (if any). Organizations which instead of using the default roles, use custom roles which specify the exact permissions they would like to grant are not affected by this issue.

Fix

To fix this issue, we have further restricted what the default Read Access role has access to. The issue was fixed in versions 3.4.0 and 3.3.2, and has been applied to hosted Mender. In the new versions, all existing users with this default role are no longer affected by this issue. We recommend upgrading to 3.3.2 or 3.4.0 to fix the issue.

CVE-2022-45929 — Low-privileged users can edit their own roles

The API endpoint /api/management/v1/useradm/users/me allows users to edit their own settings, such as email, password, 2-factor authentication, etc. Through the HTTP PUT method, it was possible to edit more fields than intended, notably a low-privileged user could change their own role using this API.

Impact

If discovered, an attacker with access to a low-privileged user could use this vulnerability to edit that user and become an administrator (privilege escalation).

Fix

The issue was fixed in versions 3.5.0 / 3.6.0 and 3.3.2, and has been applied to hosted Mender. We recommend upgrading to 3.3.2 or 3.6.0 to fix the issue.

Contact

If you have any further questions about these issues, how to upgrade, or mitigate them, please contact our support team:

https://support.northern.tech

To contact our security team, for example if you believe you've found a security issue / vulnerability, see our security.txt file for more information.

Recent articles

The scope of EU Cyber Resilience Act (CRA) compliance

The scope of EU Cyber Resilience Act (CRA) compliance

Explore the scope of the EU Cyber Resilience Act (CRA). Learn about the CRA's scope, and why secure OTA updates are essential for compliance.
An overview of EU Cyber Resilience Act (CRA) compliance

An overview of EU Cyber Resilience Act (CRA) compliance

Learn how the EU Cyber Resilience Act (CRA) enforces stringent cybersecurity requirements for PDEs. Explore compliance essentials in part 1 of a 4-part series.
Challenges in complying with the EU Cyber Resilience Act (CRA)

Challenges in complying with the EU Cyber Resilience Act (CRA)

Discover how manufacturers can achieve Cyber Resilience Act (CRA) compliance by tackling secure updates, SBOM management, and vulnerability tracking with robust OTA solutions.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365