Several vulnerabilities have been discovered in the SureMDM device management solution sold by 42 Gears, prompting the company to release a series of updates to address the issues.
Immersive labs published a detailed breakdown of the vulnerabilities – one of which is critical – affecting SureMDM’s Linux agent and web console. Kevin Breen, Director of Cyber Threat Research at Immersive Labs, said ZDNet which the company claims to have more than five million successful deployments worldwide and 18,000 customers.
It’s unclear how many are using the products affected by the issues they discovered, but Breen said anyone using the Linux version listed in the post is vulnerable to the vulnerabilities. Anyone using the web console was also vulnerable until December.
“The most concerning set of vulnerabilities were those affecting the Web Console. These vulnerabilities could have allowed an attacker to obtain code execution on individual devices, desktops, or servers using the array By chaining vulnerabilities affecting the web console, an attacker could disable security tools and install malware or other malicious code on every Linux, macOS, or Android device that has SureMDM installed. attacker does not need to know customer details to do this or even have an account on SureMDM,” Breen explained.
“Once the attacker sends the exploit to each client account, all they need to do is wait for the first user to log into the SureMDM web console for the payload to be executed. Upon login, the application Web automatically starts infected jobs that would affect all managed devices in the organization.”
Breen added that the second set of vulnerabilities affecting hosts running the Linux Agent for SureMDM would have allowed attackers to obtain remote code execution on hosts as the root user. The issue “could also be exploited with local access to affected hosts to elevate privileges from the standard user to the root user,” Breen noted.
42 Gears released updates in November and January after working with Immersive Labs on the issue since July 2021. Immersive Labs noted that the company released multiple updates throughout the summer before finally addressing the issues. vulnerabilities she found.
Casey Bisson, product growth manager at BluBracket, said the vulnerabilities are a big deal because individually they are all problematic, but collectively they pose a serious risk to users.
“Additionally, the workflow that led to the creation of a team and the delivery of an application with so many vulnerabilities is particularly concerning, although we do not yet know the extent of the impact of these vulnerabilities. Vulnerabilities like these are the unfortunate byproduct of how quickly software is developed and shipped,” Bisson said.
“It’s easy to criticize each of them as obvious or easy to avoid with good engineering, but the reality is that many of these types of vulnerabilities are quite common. Organizations have no idea of the risks they have in their code because they do not analyze There is a systemic breakdown of processes and the application of key technologies that allow these vulnerabilities to come to market.
Vulcan Cyber engineer Mike Parkin noted that the series of issues discovered highlights the fact that vulnerabilities are often found in clusters rather than as a stand-alone issue.
The fact that researchers found new issues while the developer fixed reported ones is something threat actors are also doing, Parkin said.
“The timeline is notable for the back and forth between the research team and the vendor, the time it took to put patches in place, and how new vulnerabilities emerged during the process,” said Parking at ZDNet.
Bugcrowd founder Casey Ellis took a more positive view of the situation, noting the timeline provided by Immersive Labs.
The timeline and associated narrative demonstrate 42 Gears’ openness to respond to external safety feedback as well as Immersive Labs’ highly organized and professional conduct to ensure that their research – and subsequent protection of 42 Gears users – was as complete and conducted. in the safest way possible,” Ellis explained.
“42 Gears is used enough to get the attention of Immersive Labs, which is the most relevant data point here. These vulnerabilities seem to have a pretty big impact, but what strikes me about these issues is the degree of cooperation and collaboration in the timeline,” Ellis said.
“Ideally, software would be perfect, but we know that’s not always the case. After all, humans are responsible for writing it.”