CVE-2024-46948 - Missing filtering based on RBAC device groups

In Mender, you can use the role based access control (RBAC) system to limit what devices and actions different users have access to. The customer who reported the issue discovered that the /devauth/devices API did not respect this, and gave results, with some limited read-only information, for all devices in the organization

Impact

The security mechanism of filtering devices based on role and device groups could be bypassed using this vulnerability. For customers which split up their devices into groups and only give some roles / users access to some groups, this meant that those users would have access to more information than intended. It should be noted that the severity of this is quite limited, due to multiple factors:

• It only granted read access.
• It only exposed devices to authenticated users in the organization (not possible to see devices from other organizations).
• It only revealed limited, basic information: device status, MAC address, authentication sets with public keys and timestamps associated with the device.
• No secrets, passwords, credentials, private keys, or detailed inventory information.
• This only applied to customers which use device groups to limit access to devices and only to those users which had limited access.

Fix

Due to the complexity of implementing this filtering in this specific API / microservice, we have chosen to disable this API for those users which should only have access to some devices. Thus, the users which have limited access, because their role gives them access to a device group, are no longer able to use this API:

GET /api/management/v2/devauth/devices

However, they can still use query parameters to get the same data, for individual devices, like this:

GET /api/management/v2/devauth/devices?id=75a99891-f4b2-4d90-ae99-ea86c3d1184d

In that case, RBAC is respected, whether you have access to that device will be checked. (Same as before, this has not changed).

If you are using hosted Mender, this fix has already been deployed and you do not have to do anything. For customers running Mender on-prem, upgrading to version 3.6.5, 3.7.5, or later versions will resolve the issue.