CVE-2024-46948 - Missing filtering based on RBAC device groups
In Mender, you can use the role based access control (RBAC) system to limit what devices and actions different users have access to. The customer who reported the issue discovered that the /devauth/devices API did not respect this, and gave results, with some limited read-only information, for all devices in the organization
Impact
The security mechanism of filtering devices based on role and device groups could be bypassed using this vulnerability. For customers which split up their devices into groups and only give some roles / users access to some groups, this meant that those users would have access to more information than intended. It should be noted that the severity of this is quite limited, due to multiple factors:
- It only granted read access.
- It only exposed devices to authenticated users in the organization (not possible to see devices from other organizations).
- It only revealed limited, basic information: device status, MAC address, authentication sets with public keys and timestamps associated with the device.
- No secrets, passwords, credentials, private keys, or detailed inventory information.
- This only applied to customers which use device groups to limit access to devices and only to those users which had limited access.
Fix
Due to the complexity of implementing this filtering in this specific API / microservice, we have chosen to disable this API for those users which should only have access to some devices. Thus, the users which have limited access, because their role gives them access to a device group, are no longer able to use this API:
GET /api/management/v2/devauth/devices
However, they can still use query parameters to get the same data, for individual devices, like this:
GET /api/management/v2/devauth/devices?id=75a99891-f4b2-4d90-ae99-ea86c3d1184d
In that case, RBAC is respected, whether you have access to that device will be checked. (Same as before, this has not changed).
If you are using hosted Mender, this fix has already been deployed and you do not have to do anything. For customers running Mender on-prem, upgrading to version 3.6.5, 3.7.5, or later versions will resolve the issue.
Recent articles
Mender versioning: New releases by component
Driving secure innovation: ISO/SAE 21434 & UNECE compliance
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server
Learn why leading companies choose Mender
Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.