Mender blog

CVE-2024-46948 - Missing filtering based on RBAC device groups

A customer recently notified us of a security issue in Mender. For customers relying on RBAC and device groups to filter which devices each user sees, one particular API did not respect this, and would reveal more information than intended.

In Mender, you can use the role based access control (RBAC) system to limit what devices and actions different users have access to. The customer who reported the issue discovered that the /devauth/devices API did not respect this, and gave results, with some limited read-only information, for all devices in the organization

Impact

The security mechanism of filtering devices based on role and device groups could be bypassed using this vulnerability. For customers which split up their devices into groups and only give some roles / users access to some groups, this meant that those users would have access to more information than intended. It should be noted that the severity of this is quite limited, due to multiple factors:

  • It only granted read access.
  • It only exposed devices to authenticated users in the organization (not possible to see devices from other organizations).
  • It only revealed limited, basic information: device status, MAC address, authentication sets with public keys and timestamps associated with the device.
  • No secrets, passwords, credentials, private keys, or detailed inventory information.
  • This only applied to customers which use device groups to limit access to devices and only to those users which had limited access.

Fix

Due to the complexity of implementing this filtering in this specific API / microservice, we have chosen to disable this API for those users which should only have access to some devices. Thus, the users which have limited access, because their role gives them access to a device group, are no longer able to use this API:

GET /api/management/v2/devauth/devices

However, they can still use query parameters to get the same data, for individual devices, like this:

GET /api/management/v2/devauth/devices?id=75a99891-f4b2-4d90-ae99-ea86c3d1184d

In that case, RBAC is respected, whether you have access to that device will be checked. (Same as before, this has not changed).

If you are using hosted Mender, this fix has already been deployed and you do not have to do anything. For customers running Mender on-prem, upgrading to version 3.6.5, 3.7.5, or later versions will resolve the issue.

Recent articles

Mender versioning: New releases by component

Mender versioning: New releases by component

Explore Mender's shift to independent component releases and versioning, designed to enhance update speed and user clarity.
Driving secure innovation: ISO/SAE 21434 & UNECE compliance

Driving secure innovation: ISO/SAE 21434 & UNECE compliance

ISO/SAE 21434 and UNECE R155/R156 standards reshape cybersecurity in software-defined vehicles. Compliance with these frameworks is essential for protecting consumers, ensuring vehicle safety, and driving innovation in the automotive industry.
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

Recently discovered security vulnerabilities in Mender Server have been fixed.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365