This is the announcement of a recently discovered security issue in the Mender Client. The affected versions are 4.0.0, 4.0.1, 4.0.2, 4.0.3, and 4.0.4. The issue has been fixed in the Mender Client version 4.0.5, upgrading to the latest version of the Mender Client will resolve the issue. We have no indications of this issue being exploited or known outside of the company and the user who reported it; Thank you to Maximilian Riemensberger for discovering and responsibly disclosing this issue.
Description
On the affected versions, mender-auth creates a private key file (/var/lib/mender/mender-agent.pem) with read permission enabled for other users on the device. After creation, the file permissions are left like this indefinitely.
This does not apply to keys generated by Mender Client versions prior to 4.0.0, nor to key files placed there by users (for example for preauthorization) as long as the user / script placing it there has ensured correct (strict) permissions.
Impact
If the private key file has the problematic file permissions, other users and processes on the device which should not have access to this file will have access. An attacker which already has some way of running code on the device, could use this to make requests to the Mender Server as the device, allowing them to perform some actions such as:
- Download updates (Mender artifacts)
- Update inventory information for the device
Detection
The issue was fixed in the Mender Client version 4.0.5, so if you've already upgraded you do not have to take any actions. On a device, you can check your version of Mender with the following command:
$ mender-update --version
4.0.5
If you are on version 4.0.0, 4.0.1, 4.0.2, 4.0.3, or 4.0.4, you may be affected, depending on how the key file was generated.
Run the following command to check the permissions of the private key file:
$ ls -al /var/lib/mender/mender-agent.pem
-rw------- 1 root root 2455 Dec 18 15:51 /var/lib/mender/mender-agent.pem
In the output -rw------- signifies that the user who owns the file (root) has read and write access, while no other users have access to it. If the output looks like that, this is correct and the device is not affected by the issue. On the other hand, if you manually created the key file with less restrictive permissions, or if Mender created it for you automatically on one of the affected versions before, it can look like this:
$ ls -al /var/lib/mender/mender-agent.pem
-rw-r--r-- 1 root root 2455 Dec 18 15:51 /var/lib/mender/mender-agent.pem
Note the -rw-r--r-- part - other users have read access to the file.
Remediation
We recommend upgrading to Mender Client version 4.0.5 (or later) to fix this issue, private key files will have more strict permissions for both new and pre-existing files.
If you cannot upgrade, and still want to fix the issue manually, you can run a chmod command on each device:
$ chmod go-rwx /var/lib/mender/mender-agent.pem
After running the command, the key file should look like this:
$ ls -al /var/lib/mender/mender-agent.pem
-rw------- 1 root root 2455 Dec 18 15:51 /var/lib/mender/mender-agent.pem
Note: If you have reason to believe the key was already read / compromised, for example if you have untrusted users / processes running as another user on the device, we recommend taking the extra step to revoke the key and generate and approve new keys, effectively revoking the access of the old keys. Please contact our support team if you need help with this process.
Contact
For help with upgrading or additional questions, please contact support at:
https://support.northern.tech
