CVE-2024-37019 - Account takeover using SAML

We recently discovered a security vulnerability in the Mender Enterprise backend. The vulnerability has been fixed in Hosted Mender, as well as Mender Enterprise on-prem versions 3.6.4 and 3.7.4. 

The issue was responsibly disclosed to the Northern.tech security team by an external security researcher (Muhammad Qasim Munir). We have no indications of this issue being used maliciously or being known outside of Northern.tech and the security researcher who reported it. During our internal investigation, we have concluded that it is not being used to attack any customers in our Hosted Mender SaaS offering. All our affected on-premise customers have been contacted ahead of this public announcement and had time to address the issue.

Description

Through using an external SAML service and integrating it with a Mender tenant, an attacker could create duplicate users and use these to take over existing users in other tenants in a multi-tenant setup of Mender Enterprise.

Impact

An authenticated user with access to manage users in a third-party SAML service (or with access in Mender to set that up) could use a bug in the authentication code to take over any account in any tenant which is using username + password to log in. (This includes users which use a username + password + TOTP 2FA.) In a single-tenant scenario, this is not very problematic; someone with admin-level access already has a lot of possibilities to cause damage within that tenant. However, in a multi-tenant setup, the impact of this is severe; it compromises the security of tenant separation, RBAC, and authentication.

Fix

If you are using Hosted Mender, this issue has already been patched, and no action is needed from you.

Mender Enterprise on-prem customers can fix the issue by upgrading to the latest release on our supported 3.6 and 3.7 branches. Upgrade instructions are found in the email sent to your security contact on May 3rd, 2024, and are also available in our documentation (3.7, 3.6).

If you have any questions about upgrading, the vulnerability, or other aspects of Mender, feel free to reach out to our support.

Recommendations

In this case, the vulnerability required authenticated access to a privileged account (which can set up or manage SAML).  We'd like to take this opportunity to repeat some security recommendations that can help mitigate or prevent the abuse of vulnerabilities like this one:

  • If using passwords, ensure they are strong and unique, and enable two-factor authentication.
  • Limit access to only the people necessary and the level of access necessary. Especially admin-level operations, such as user management and integrations, should be limited to a small number of trusted administrators.
  • Ensure good routines for revoking access and removing user accounts when employees leave the company, or access is no longer needed.
  • Ensure Mender and other software are up-to-date with the latest releases so any known vulnerabilities are fixed as soon as possible.

Recent articles

Enhancing Sustainability in Oil & Gas: Tackling Methane Emissions with Cutting-Edge Solutions

Enhancing Sustainability in Oil & Gas: Tackling Methane Emissions with Cutting-Edge Solutions

The oil and gas industry faces a crucial environmental challenge in pursuit of a greener and more sustainable future: reducing methane emissions.
The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The critical question for the automotive industry is: how can you shorten the time to market and innovate faster in software and AVs to meet more demanding customer requirements?
What’s New in Mender 3.7: Introducing the C++ Client for portability

What’s New in Mender 3.7: Introducing the C++ Client for portability

Mender 3.7 is released, including all the features published on hosted Mender over the last few months as part of our continuous development and rolling release process.
View more articles

Learn more about Mender

Explore our Resource Center to discover more about how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices.

 
sales-pipeline_295756365