The issue was responsibly disclosed to the Northern.tech security team by an external security researcher (Muhammad Qasim Munir). We have no indications of this issue being used maliciously or being known outside of Northern.tech and the security researcher who reported it. During our internal investigation, we have concluded that it is not being used to attack any customers in our Hosted Mender SaaS offering. All our affected on-premise customers have been contacted ahead of this public announcement and had time to address the issue.
Description
Through using an external SAML service and integrating it with a Mender tenant, an attacker could create duplicate users and use these to take over existing users in other tenants in a multi-tenant setup of Mender Enterprise.
Impact
An authenticated user with access to manage users in a third-party SAML service (or with access in Mender to set that up) could use a bug in the authentication code to take over any account in any tenant which is using username + password to log in. (This includes users which use a username + password + TOTP 2FA.) In a single-tenant scenario, this is not very problematic; someone with admin-level access already has a lot of possibilities to cause damage within that tenant. However, in a multi-tenant setup, the impact of this is severe; it compromises the security of tenant separation, RBAC, and authentication.
Fix
If you are using Hosted Mender, this issue has already been patched, and no action is needed from you.
Mender Enterprise on-prem customers can fix the issue by upgrading to the latest release on our supported 3.6 and 3.7 branches. Upgrade instructions are found in the email sent to your security contact on May 3rd, 2024, and are also available in our documentation (3.7, 3.6).
If you have any questions about upgrading, the vulnerability, or other aspects of Mender, feel free to reach out to our support.
Recommendations
In this case, the vulnerability required authenticated access to a privileged account (which can set up or manage SAML). We'd like to take this opportunity to repeat some security recommendations that can help mitigate or prevent the abuse of vulnerabilities like this one:
- If using passwords, ensure they are strong and unique, and enable two-factor authentication.
- Limit access to only the people necessary and the level of access necessary. Especially admin-level operations, such as user management and integrations, should be limited to a small number of trusted administrators.
- Ensure good routines for revoking access and removing user accounts when employees leave the company, or access is no longer needed.
- Ensure Mender and other software are up-to-date with the latest releases so any known vulnerabilities are fixed as soon as possible.
