Mender blog

CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

We recently discovered some potential security issues in Mender. Some APIs and integrations allow users to enter URLs of third party servers, and these lacked strict validation before the Mender Server makes requests to those servers.

There is no indication that these issues have been exploited or known outside of the Northern.tech team, and we have not found any effective ways these issues could be exploited (see explanation below), but still choose to be transparent about the security issues we've discovered and fixed. These issues have already been fixed for customers of hosted Mender. On-premise customers have already been notified and need to upgrade to version 3.7.7 or later versions to fix the issues.

CVE-2024-46947 - SSRF issues in Mender LTS (on-prem)

The REST APIs for SAML and OIDC, require the backend to make HTTP requests based on the user input. These APIs would cause the backend to follow redirects and make HTTP requests based on the user supplied data, without implementing proper protections. This could allow a malicious user to make internal API GET requests inside the Mender backend, which they are not supposed to.

Impact

In order to leverage this vulnerability, an attacker would need authenticated access to an admin level account, which has access to change SSO settings. If you use a Mender on-prem in a single-tenant setup, with a minimal number of administrators, there is limited concern here, as an attacker with access to an admin account would have access to a lot of damaging operations anyway. However, in a  multi-tenant setup (such as hosted Mender), it’s possible to gain admin level access in one tenant (organization), and attempt to use that to affect other tenants / organizations. Note that while it was possible to get the backend to make HTTP requests, we are not aware of any effective ways to exploit this, because:

  • The backend would only send an HTTP GET request.
  • There is no obvious way to get the response back for this GET request made by the backend.
  • There is no obvious API to target, GET APIs are, by design, for getting information, not for making changes.

Detection

To see if this issue has been exploited, simply open up the SSO configuration in the UI, and verify that the URLs are correct. In a multi-tenant environment, you can run the following mongosh script to dump all SSO configuration:

db.getSiblingDB("useradm").sso.
  find({}, {tenant_id: 1, idp_raw_xml: 1}).
  forEach(doc =>
    {doc.idp_raw_xml
     && print(`${doc.tenant_id} SSO config XML:\n${doc.idp_raw_xml}\n`)
  })

Fix

If you are using hosted Mender, this issue has already been fixed and you do not have to take any action. For customers running Mender Enterprise on-prem, the issue was fixed in 3.6.6 and 3.7.7. Upgrading to these versions, or later versions, will resolve the issue.

CVE-2024-47190 - SSRF issues in hosted Mender

Similar to the other issue, we also discovered some SSRF issues specific to hosted Mender. These issues have been fixed, and as a hosted Mender user, you do not need to take any action.

Impact

An admin user with access to change SAML / OIDC settings, could affect what HTTP requests the Mender backend would make, without restricting it to the intended purpose, which was fetching SAML OIDC identity provider metadata from a URL. The most obvious way to try to exploit this is to target internal API endpoints, hoping to access / affect other tenants. However, we are not aware of any effective ways of exploiting this, for the same reasons as the CVE above (GET request only, no way to get response, no GET API to target for making changes).

Detection

We have verified in the database that this issue was not being exploited in hosted Mender prior to being fixed.

Fix

We have fixed the issue in hosted Mender and you do not have to take any action. This issue was specific to hosted Mender, not present in Mender LTS (on-prem).

Contact

If you have any questions or need assistance, don’t hesitate to contact support:

https://support.northern.tech

If you believe you have discovered a security issue in one of our products, see our security.txt file for information about how to responsibly disclose security vulnerabilities:

https://northern.tech/security.txt

Recent articles

An Overview of EU Cyber Resilience Act (CRA) Compliance

An Overview of EU Cyber Resilience Act (CRA) Compliance

Learn how the EU Cyber Resilience Act (CRA) enforces stringent cybersecurity requirements for PDEs. Explore compliance essentials in part 1 of 4
The Scope of EU Cyber Resilience Act (CRA) Compliance

The Scope of EU Cyber Resilience Act (CRA) Compliance

Explore the scope of the EU Cyber Resilience Act (CRA). Learn about the CRA's scope, and why secure OTA updates are essential for compliance.
Mender versioning: New releases by component

Mender versioning: New releases by component

Explore Mender's shift to independent component releases and versioning, designed to enhance update speed and user clarity.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365