We are writing to inform you of recently discovered issues related to the RBAC feature and device groups in the Mender Server. The issues were fixed in Mender Server 3.7.11 and 4.0.1 - earlier versions are affected. If you haven't already upgraded to the latest version, we recommend upgrading to Mender Server version 4.0.1 or later. (Mender Server 3.7.x is no longer supported). We have no indications of these issues being exploited or known outside of the company and the security researcher who reported it; Thank you to Raviraj for discovering and responsibly disclosing these weaknesses.
Description
If you are using the RBAC system and device groups to give different people access to different devices and groups, there were cases where the users would have access to more than intended. Specifically, depending on how it was set up, granting a user (role) access to some specific devices (through specific static device groups), could lead to them having more access than intended, through the API:
- Read information about other devices / groups they should not have access to.
- Deploy updates to more devices than the ones in the group(s) they were intended to have access to.
- Delete dynamic groups they were not granted access to.
These issues have been fixed in the latest, recently released versions of the Mender Server.
Impact
An attacker with access to a compromised user / session, would have access to more devices and actions than necessary and intended. In the worst case, they would gain access to deploying updates and deleting groups where that user should not have those permissions.
There are some factors to consider:
- To exploit this, an attacker would first have to compromise a user session within the organization.
- The issues are not exploitable from other tenants, nor unauthenticated requests.
- The victim user must be one which has access to some devices through device groups, but not all devices / groups.
- In the recommended setup, where you use cryptographically signed artifacts, an attacker would not have the option of deploying specially crafted malicious updates. The updates need to be in the system already / need to already be signed by the trusted key, so realistically, one could use this to deploy an older update, for example.
Detection
If you have already upgraded to Mender Server 3.7.11, 4.0.1, or later, you do not have to do anything. Additionally, if you are using hosted Mender, we've already patched this vulnerability for you. The Mender Server version can be found in the Mender UI, bottom left corner. (It is also mentioned at the top of your Helm chart, in the appVersion field).
Remediation
If you are on one of the affected versions, we recommend upgrading, following our upgrade instructions in the documentation:
https://docs.mender.io/server-installation/upgrading-from-previous-versions
Mitigation
Aside from upgrading, there are some general best practices which can help mitigate risks like these;
- Use cryptographically signed artifacts and configure your devices to verify their signatures.
- Reduce risk of account compromise by using strong authentication (SAML, SSO, and / or 2FA, combined with strong and unique passwords).
- Principle of least privilege - Limit the number of admins, use Read access or similar roles to grant read-only access to users who do not need more, etc.
Contact
For help with upgrading or additional questions, please contact support at:
support.northern.tech
