Mender blog

CVE-2024-46948 - Missing filtering based on RBAC device groups

A customer recently notified us of a security issue in Mender. For customers relying on RBAC and device groups to filter which devices each user sees, one particular API did not respect this, and would reveal more information than intended.

In Mender, you can use the role based access control (RBAC) system to limit what devices and actions different users have access to. The customer who reported the issue discovered that the /devauth/devices API did not respect this, and gave results, with some limited read-only information, for all devices in the organization

Impact

The security mechanism of filtering devices based on role and device groups could be bypassed using this vulnerability. For customers which split up their devices into groups and only give some roles / users access to some groups, this meant that those users would have access to more information than intended. It should be noted that the severity of this is quite limited, due to multiple factors:

  • It only granted read access.
  • It only exposed devices to authenticated users in the organization (not possible to see devices from other organizations).
  • It only revealed limited, basic information: device status, MAC address, authentication sets with public keys and timestamps associated with the device.
  • No secrets, passwords, credentials, private keys, or detailed inventory information.
  • This only applied to customers which use device groups to limit access to devices and only to those users which had limited access.

Fix

Due to the complexity of implementing this filtering in this specific API / microservice, we have chosen to disable this API for those users which should only have access to some devices. Thus, the users which have limited access, because their role gives them access to a device group, are no longer able to use this API:

GET /api/management/v2/devauth/devices

However, they can still use query parameters to get the same data, for individual devices, like this:

GET /api/management/v2/devauth/devices?id=75a99891-f4b2-4d90-ae99-ea86c3d1184d

In that case, RBAC is respected, whether you have access to that device will be checked. (Same as before, this has not changed).

If you are using hosted Mender, this fix has already been deployed and you do not have to do anything. For customers running Mender on-prem, upgrading to version 3.6.5, 3.7.5, or later versions will resolve the issue.

Recent articles

CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

Recently discovered security vulnerabilities in Mender Server have been fixed.
Key takeaways from embedded world North America 2024

Key takeaways from embedded world North America 2024

The Mender team attended the first embedded world in North America to connect with industry leaders and discuss insights on IoT compliance, the CRA, RTOS vs. Linux for IoT, and the importance of secure OTA update orchestration.
Understanding the EU Cyber Resilience Act (CRA): Why it matters and how to comply

Understanding the EU Cyber Resilience Act (CRA): Why it matters and how to comply

The EU Cyber Resilience Act (CRA) was enacted in October 2024 and has impacted products with digital elements on the European market. Learn why CRA compliance is essential for manufacturers, the penalties for noncompliance, and how to meet the Act's cybersecurity standards.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365