Mender blog

CVE-2024-37019 - Account takeover using SAML

We recently discovered a security vulnerability in the Mender Enterprise backend. The vulnerability has been fixed in Hosted Mender, as well as Mender Enterprise on-prem versions 3.6.4 and 3.7.4. 

The issue was responsibly disclosed to the Northern.tech security team by an external security researcher (Muhammad Qasim Munir). We have no indications of this issue being used maliciously or being known outside of Northern.tech and the security researcher who reported it. During our internal investigation, we have concluded that it is not being used to attack any customers in our Hosted Mender SaaS offering. All our affected on-premise customers have been contacted ahead of this public announcement and had time to address the issue.

Description

Through using an external SAML service and integrating it with a Mender tenant, an attacker could create duplicate users and use these to take over existing users in other tenants in a multi-tenant setup of Mender Enterprise.

Impact

An authenticated user with access to manage users in a third-party SAML service (or with access in Mender to set that up) could use a bug in the authentication code to take over any account in any tenant which is using username + password to log in. (This includes users which use a username + password + TOTP 2FA.) In a single-tenant scenario, this is not very problematic; someone with admin-level access already has a lot of possibilities to cause damage within that tenant. However, in a multi-tenant setup, the impact of this is severe; it compromises the security of tenant separation, RBAC, and authentication.

Fix

If you are using Hosted Mender, this issue has already been patched, and no action is needed from you.

Mender Enterprise on-prem customers can fix the issue by upgrading to the latest release on our supported 3.6 and 3.7 branches. Upgrade instructions are found in the email sent to your security contact on May 3rd, 2024, and are also available in our documentation (3.7, 3.6).

If you have any questions about upgrading, the vulnerability, or other aspects of Mender, feel free to reach out to our support.

Recommendations

In this case, the vulnerability required authenticated access to a privileged account (which can set up or manage SAML).  We'd like to take this opportunity to repeat some security recommendations that can help mitigate or prevent the abuse of vulnerabilities like this one:

  • If using passwords, ensure they are strong and unique, and enable two-factor authentication.
  • Limit access to only the people necessary and the level of access necessary. Especially admin-level operations, such as user management and integrations, should be limited to a small number of trusted administrators.
  • Ensure good routines for revoking access and removing user accounts when employees leave the company, or access is no longer needed.
  • Ensure Mender and other software are up-to-date with the latest releases so any known vulnerabilities are fixed as soon as possible.

Recent articles

The scope of EU Cyber Resilience Act (CRA) compliance

The scope of EU Cyber Resilience Act (CRA) compliance

Explore the scope of the EU Cyber Resilience Act (CRA). Learn about the CRA's scope, and why secure OTA updates are essential for compliance.
An overview of EU Cyber Resilience Act (CRA) compliance

An overview of EU Cyber Resilience Act (CRA) compliance

Learn how the EU Cyber Resilience Act (CRA) enforces stringent cybersecurity requirements for PDEs. Explore compliance essentials in part 1 of a 4-part series.
Challenges in complying with the EU Cyber Resilience Act (CRA)

Challenges in complying with the EU Cyber Resilience Act (CRA)

Discover how manufacturers can achieve Cyber Resilience Act (CRA) compliance by tackling secure updates, SBOM management, and vulnerability tracking with robust OTA solutions.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365