Connect with us

Hi, what are you looking for?

Cyber Security

SureMDM bug chain enabled wholesale compromise of managed devices

Vulnerabilities in SureMDM could have been chained to compromise every device running the popular mobile device management (MDM) platform within a targeted enterprise, security researchers have revealed.

The vendor, Indian tech firm 42 Gears, has patched the bugs, which led to remote code execution (RCE) via the web console, along with RCE, command injection, hardcoded password, local privilege escalation, and information disclosure flaws affecting the Linux agent.

The vulnerabilities affect both cloud and on-premise installations.

SureMDM is used to secure, monitor, and manage devices using enterprise resources. The vendor says its products have more than five successful deployments and lists Lufthansa, Sodexo, Toyota, DHL, and ArcelorMittal among its customers.

Malware threat

The RCE exploit in the SureMDM web console, which is shown in the video below, enabled unauthenticated attackers with no knowledge of target customers to seize control of Linux, macOS, and Android devices, as well as desktops and servers, and subsequently disable security tools and install malware on compromised devices.

“Once the attacker has sent the exploit to every customer account, they would simply need to wait for the first user to log into the SureMDM web console for the payload to be executed,” said Kev Breen, director of cyber threat research at Immersive Labs, in a blog post.

“Upon login, the web application would automatically start the infected jobs that would affect every managed device in the organization.”

Bug breakdown

The web console issues include a lack of default authentication between the agent running on the host and server that meant attackers could register fake devices and potentially intercept job requests containing sensitive data.

They could, if the mac address is known, also conceivably spoof a known device and send bad data to the server.

While this could be mitigated by enabling authentication for agents connecting to the server for first-time registration, said Breen, “an oversight in this setup meant that Linux and Mac devices or fake devices mimicking these operating systems could bypass this authentication step and register themselves regardless of these settings”.

The “bypass meant that even with enhanced password enrolment enabled, Linux and Mac devices were not enforced – so you could nullify this check by pretending to be a Linux device,” Breen told The Daily Swig.

“This bypass has been patched so all devices must use the additional checks, however the default option (at the time of writing) was no password is required to onboard new hosts.”

Another, cross-site scripting (XSS) flaw arises because the web console failed to fully sanitize values received from agents before displaying them in the front end.

Asked about ease of exploitation, Breen said: “Prior to being patched, replication of the vulnerability on the Linux agent would require a familiarity with Java and access to the agent itself. The console exploits are significantly harder to exploit as they involve chaining several components.

“Secondly, the key component that allowed for the largest impact, the XSS in the web console, has been resolved – effectively mitigating the chain for all users.”

Advertisement. Scroll to continue reading.

Patches and mitigations

Immersive Labs first contacted 42 Gears over the flaws on July 6, 2021. The lengthy disclosure process, which was complicated by the periodic discovery of additional vulnerabilities, culminated in the release of patches in November and January.

Immersive Labs published its findings on January 28. CVEs are still pending.

Breen has urged system administrators to ensure their agents are up to date, that agent authentication is enabled, and to “check what jobs are registered on the jobs page of the console and check any logs for jobs that look suspicious”.

Source: https://portswigger.net/daily-swig/suremdm-bug-chain-enabled-wholesale-compromise-of-managed-devices

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Cyber Security

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability. Security researchers warned that it might be...

Cyber Security

Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO