The issue was responsibly disclosed to the Northern.tech security team by an external security researcher (Muhammad Qasim Munir). We have no indications of this issue being used maliciously or being known outside of Northern.tech and the security researcher who reported it. During our internal investigation, we have concluded that it is not being used to attack any customers in our Hosted Mender SaaS offering. All our affected on-premise customers have been contacted ahead of this public announcement and had time to address the issue.
Through using an external SAML service and integrating it with a Mender tenant, an attacker could create duplicate users and use these to take over existing users in other tenants in a multi-tenant setup of Mender Enterprise.
An authenticated user with access to manage users in a third-party SAML service (or with access in Mender to set that up) could use a bug in the authentication code to take over any account in any tenant which is using username + password to log in. (This includes users which use a username + password + TOTP 2FA.) In a single-tenant scenario, this is not very problematic; someone with admin-level access already has a lot of possibilities to cause damage within that tenant. However, in a multi-tenant setup, the impact of this is severe; it compromises the security of tenant separation, RBAC, and authentication.
If you are using Hosted Mender, this issue has already been patched, and no action is needed from you.
Mender Enterprise on-prem customers can fix the issue by upgrading to the latest release on our supported 3.6 and 3.7 branches. Upgrade instructions are found in the email sent to your security contact on May 3rd, 2024, and are also available in our documentation (3.7, 3.6).
If you have any questions about upgrading, the vulnerability, or other aspects of Mender, feel free to reach out to our support.
In this case, the vulnerability required authenticated access to a privileged account (which can set up or manage SAML). We'd like to take this opportunity to repeat some security recommendations that can help mitigate or prevent the abuse of vulnerabilities like this one: