Series of flaws in MDM platform addressed in web console and Linux agent

SureMDM bug chain enabled wholesale compromise of managed devices such as smartphones, tablets

Vulnerabilities in SureMDM could have been chained to compromise every device running the popular mobile device management (MDM) platform within a targeted enterprise, security researchers have revealed.

The vendor, Indian tech firm 42 Gears, has patched the bugs, which led to remote code execution (RCE) via the web console, along with RCE, command injection, hardcoded password, local privilege escalation, and information disclosure flaws affecting the Linux agent.

The vulnerabilities affect both cloud and on-premise installations.

RECOMMENDED Xerox belatedly addresses web-based printer bricking threat

SureMDM is used to secure, monitor, and manage devices using enterprise resources. The vendor says its products have more than five successful deployments and lists Lufthansa, Sodexo, Toyota, DHL, and ArcelorMittal among its customers.

Malware threat

The RCE exploit in the SureMDM web console, which is shown in the video below, enabled unauthenticated attackers with no knowledge of target customers to seize control of Linux, macOS, and Android devices, as well as desktops and servers, and subsequently disable security tools and install malware on compromised devices.

“Once the attacker has sent the exploit to every customer account, they would simply need to wait for the first user to log into the SureMDM web console for the payload to be executed,” said Kev Breen, director of cyber threat research at Immersive Labs, in a blog post.

“Upon login, the web application would automatically start the infected jobs that would affect every managed device in the organization.”

Bug breakdown

The web console issues include a lack of default authentication between the agent running on the host and server that meant attackers could register fake devices and potentially intercept job requests containing sensitive data.

They could, if the mac address is known, also conceivably spoof a known device and send bad data to the server.

While this could be mitigated by enabling authentication for agents connecting to the server for first-time registration, said Breen, “an oversight in this setup meant that Linux and Mac devices or fake devices mimicking these operating systems could bypass this authentication step and register themselves regardless of these settings”.

The “bypass meant that even with enhanced password enrolment enabled, Linux and Mac devices were not enforced – so you could nullify this check by pretending to be a Linux device,” Breen told The Daily Swig.

Read more of the latest IoT security news

“This bypass has been patched so all devices must use the additional checks, however the default option (at the time of writing) was no password is required to onboard new hosts.”

Another, cross-site scripting (XSS) flaw arises because the web console failed to fully sanitize values received from agents before displaying them in the front end.

Asked about ease of exploitation, Breen said: “Prior to being patched, replication of the vulnerability on the Linux agent would require a familiarity with Java and access to the agent itself. The console exploits are significantly harder to exploit as they involve chaining several components.

“Secondly, the key component that allowed for the largest impact, the XSS in the web console, has been resolved – effectively mitigating the chain for all users.”

Patches and mitigations

Immersive Labs first contacted 42 Gears over the flaws on July 6, 2021. The lengthy disclosure process, which was complicated by the periodic discovery of additional vulnerabilities, culminated in the release of patches in November and January.

Immersive Labs published its findings on January 28. CVEs are still pending.

Breen has urged system administrators to ensure their agents are up to date, that agent authentication is enabled, and to “check what jobs are registered on the jobs page of the console and check any logs for jobs that look suspicious”.

DON’T FORGET TO READ Solarwinds fixes code execution bug in enterprise helpdesk software