We have recently fixed an issue with signature verification in Mender Client version 5.0.0 to 5.0.3. (Earlier unsupported versions, like Client version 4, are also assumed to be affected). There are no indications of this issue being exploited or known outside of our company and the person who responsibly disclosed this. Thank you to Lukas Collishaw for finding and responsibly disclosing this issue via HackerOne.
Description
Cryptographically signed artifacts provide an additional layer of security, so that even if an attacker is able to modify or deploy new (malicious) artifacts, the Mender Client would not install them, unless they are signed by the right cryptographic key. A bug in the signature verification code could allow an attacker to add additional files / information to a Mender Artifact without causing the signature verification on the Client to fail. By including a malicious file in the artifact payload, without listing it with a checksum in the update manifest, the malicious file will bypass the signature and checksum verification. If the update module then writes that file to the filesystem and/or runs the file / script / executable, the malicious update could effectively take over the whole device. We found that none of our 3 default update modules (single file, directory, rootfs) could be exploited and we also found that the Mender Server would reject these malformed updates. This means that in order to be vulnerable, you'd need to be running a combination of a custom update module which would install / run the additional files, and a custom update server / delivery mechanism that does not check the updates using mender-artifact as we do in the Mender Server.
Impact
On its own, this vulnerability cannot be used to deploy malicious updates to a Mender device. A few things would be needed;
- A way of delivering the update - Either via Mender Client in standalone mode or a custom system delivering update artifacts. In our testing, the Mender Server rejected these artifacts and thus could not be used to exploit this vulnerability.
- An already signed artifact to maliciously modify.
- A device running one of the vulnerable versions of the Mender Client.
- An update module which would do something with the unexpected / malicious files. In our testing, we concluded none of the default update modules are vulnerable.
In such a scenario, an attacker with knowledge of this vulnerability could craft and deploy malicious updates. The Mender Client would attempt to verify the signature according to its configuration, but would, crucially, skip verifying some malicious parts added by the attacker.
Remediation
If you are on one of the affected versions (Mender Client 5.0.0 - 5.0.3), we recommend upgrading. Upgrading to Mender Client 5.0.4, 6.0.0, or later versions will fix the issue. See our documentation for information about how to upgrade:
https://docs.mender.io/client-installation/install-with-debian-package/upgrading
Contact
For help with upgrading or additional questions, please contact support at:
https://support.northern.tech
