Mender Enterprise comes with a system for role based access control (RBAC), and default roles for administrators, read-only users, etc. Low-privileged roles are commonly used as part of a principle of least privilege approach, when granting a larger group of users access to the system in a limited manner. We've discovered some cases where these low-privileged users (with default roles) had access to do more than they should be able to. Even though we haven't seen any abuse of this, we take the cautious approach, fixing the issues (by further limiting access) and transparently publicizing information about these issues as vulnerabilities (CVEs), since they could be used maliciously or lead to unintended situations.
The default role, Read Access, granted access to read device configuration data, including data used for the cloud integration feature, which may include secret strings / credentials. Even though this access is technically read only, access to potential sensitive device information is not necessary, and was not clearly communicated in the UI nor documentation. Thus the Read Access role may not have been giving the security guarantees the user expected. In general, this low-privileged role should not be able to read all data, only the devices they have access to and only the type of data and functionality which is necessary for a typical limited access user (such as device inventory information).
If an attacker gained control over a low-privileged user (which has the default Read Access role), they could read some sensitive device information, such as credentials / secrets used in the configure / cloud integration feature (if any). Organizations which instead of using the default roles, use custom roles which specify the exact permissions they would like to grant are not affected by this issue.
To fix this issue, we have further restricted what the default Read Access role has access to. The issue was fixed in versions 3.4.0 and 3.3.2, and has been applied to hosted Mender. In the new versions, all existing users with this default role are no longer affected by this issue. We recommend upgrading to 3.3.2 or 3.4.0 to fix the issue.
The API endpoint /api/management/v1/useradm/users/me
allows users to edit their own settings, such as email, password, 2-factor authentication, etc. Through the HTTP PUT method, it was possible to edit more fields than intended, notably a low-privileged user could change their own role using this API.
If discovered, an attacker with access to a low-privileged user could use this vulnerability to edit that user and become an administrator (privilege escalation).
The issue was fixed in versions 3.5.0 / 3.6.0 and 3.3.2, and has been applied to hosted Mender. We recommend upgrading to 3.3.2 or 3.6.0 to fix the issue.
If you have any further questions about these issues, how to upgrade, or mitigate them, please contact our support team:
https://support.northern.tech
To contact our security team, for example if you believe you've found a security issue / vulnerability, see our security.txt file for more information.