Researchers at Immersive Labs have disclosed a number of vulnerabilities in 42 Gears’ SureMDM device management solution. When combined, these could allow attackers to perform a supply chain compromise against any organization using the platform.
Overview
SureMDM is the primary device management solution sold by 42 Gears, an Indian tech company that creates device management solutions for everything from servers and laptops to mobile phones and VR headsets. The company features a number of high-profile customers on its website, although it is unclear which product they are using.
Between November 2021 and January 2022, 42 Gears released a series of updates to their SureMDM product line closing a number of vulnerabilities that were responsibly disclosed by our research team. At least one of these is critical.
The vulnerabilities found in SureMDM can be split into two ‘sets’ – some affect the platform’s Linux agent, and others the web console.
Web Console
The more concerning set of vulnerabilities were the ones affecting the web console. These vulnerabilities could have allowed an attacker to gain code execution over individual devices, desktops or servers using the SureMDM web dashboard.
By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed. An attacker does not need to know customer details to achieve this or even have an account on SureMDM.
Once the attacker has sent the exploit to every customer account, they would simply need to wait for the first user to log into the SureMDM web console for the payload to be executed. Upon login, the web application would automatically start the infected jobs that would affect every managed device in the organization.
Linux Agent
The second set of vulnerabilities affecting hosts running the Linux Agent for SureMDM would allow attackers to gain remote code execution on those hosts as the root user. This vulnerability could also be exploited with local access to the affected hosts in order to escalate privileges from standard to root user.
Disclosure process
After our initial disclosure, there was a period of time where changes were made by the development team and confirmed by us. As additional vulnerabilities were found and reported, the amount of time from initial discovery to public disclosure grew; some patches were issued in November and others in January.
As there was some crossover between vulnerabilities in the Linux Agent and the web console, we chose to delay releasing all the details. This helped us to keep the balance of responsible disclosure between assisting the vendor and sharing information with the wider Infosec community.
CVEs have been requested from MITRE, which has confirmed receipt.
https://youtu.be/0JrURIq-PXA
Kev Breen
Director of Cyber Threat Research,
Immersive Labs
Technical brief: SureMDM Web Console Findings
SureMDM Agent Spoofing
As there is no authentication required between the agent running on the host and the server, it is possible to register fake devices, or if the Mac address is known, spoof a known device and send bad data to the server.
This method also makes it possible to intercept job requests that may contain sensitive data by registering a fake device and listening for all jobs that are broadcasted to groups of hosts.
Mitigation
It is possible to set up an additional authentication requirement for agents connecting to the server for first-time registration. Although this feature also has a patched vulnerability (as described below), this only applies to device registration and does not prevent spoof data from being sent to the server if the Device ID can be calculated.
SureMDM Agent Auth Bypass
To prevent the spoofing described above, an authentication method can be turned on that should force all devices registering with the server to provide matching credentials. An oversight in this setup meant that Linux and Mac devices or fake devices mimicking these operating systems could bypass this authentication step and register themselves regardless of these settings.
Mitigation
In the latest server patches released by 42 Gears, this option has been patched. However, it is important to note that this is not a default setting and customers will have to manually enable this feature in their own consoles
SureMDM Dashboard XSS
The SureMDM web-based console did not fully sanitize the values being sent by the agents before displaying them in the front end. This means that if an attacker can control the value in these fields, it would be possible for them to inject JavaScript code that would be executed whenever the main page of the console was loaded or refreshed. No additional interaction is required from the users other than logging into their dashboard console.
Mitigation
This has already been mitigated by the 42 Gears team for the cloud-based product. If you run a self-hosted server, contact 42 Gears for any relevant patches.
SureMDM Agent RCE
By combining three of these vulnerabilities and some additional features of the agent it would be possible for an attacker to gain remote code execution on every device that is currently managed by SureMDM across all customer accounts.
The attacks are formed of several stages (detailed below) and can be achieved without any knowledge of specific customers, authentication or existing access to SureMDM.
- Query SureMDM API for a list of all customer portal URLs
- For each customer ID and URL:
- Send a fake host registration request to the API
- Send an update to the fake host injecting the XSS and JavaScript code that will create a new job for each target operating system
- Wait for each customer to login to their console.
Examples of jobs can include simple tasks like running Bash or PowerShell scripts through to more complex examples that could stop services like AV and downloading then executing binary files like Cobalt Strike or ransomware.
There are several steps, but all these steps can be automated and can achieve code execution within seconds of an organization logging into their SureMDM account or refreshing the page, as can be seen in the video clip below.
Mitigation
Ensure that your agents are fully up to date. If you use an on-prem server, ensure the latest updates have been applied and that the Agent Authentication has been enabled. If you use the SureMDM cloud-based console, ensure your agents are up to date and you have enabled the extra authentication for agent registration. Check what jobs are registered on the jobs page of the console and check any logs for jobs that look suspicious.
Technical brief: Linux Agent Findings
SureMDM Linux Agent Command Injection Vulnerability
Users with physical access to a Linux Desktop that has the SureMDM agent installed can use a hidden key sequence to launch the SureLock application as the root user. This application is vulnerable to command injection that can be used to gain local privilege escalation as root.
Mitigations
This vulnerability affects all versions of the Linux Agent up to and including 3.0.5. Upgrading to the latest version will resolve the issue. If you are not able to upgrade, removing the surelock.jar file from the host can mitigate the vulnerability.
SureMDM Linux Agent Remote Code Execution
On Linux servers or desktops that have the SureMDM agent versions 3.0.4 or 3.0.5 it is possible for an attacker with access to the local network to gain Remote Code Execution on the target servers. If the target host is listening on an IPv6 address a specially constructed packet can be sent to a port that will execute commands as the root user.
Mitigation
This vulnerability affects version 3.0.4 and 3.0.5 of the Linux agent. Updating to the latest version resolves this issue. If you are unable to update, disabling IPv6 on affected servers is an effective mitigation.
SureMDM Linux Agent Default Root Credentials
In some situations, on Linux-like operating systems, it is possible for the root password to be set to a hardcoded value if the password has been disabled or set to a null value. The action to check and set this default password can be triggered remotely over the local network.
Mitigation
If you are using an operating system that supports the `-N` flag in `passwd` then check if the root passwords are correctly set and update the agent to the latest version.
SureMDM Linux Agent Local Privilege Escalation
When disabling the SureLock component a set of `chmod 777` commands are executed on the host system. These changes are over-permissive and will set several key system files like `env` to be 777. This could allow for a malicious user or attacker with existing local access to gain root privileges by manipulating one or more of these files.
Mitigation
Updating to the latest agent version will prevent the vulnerability from being triggered but will not revert any changes to existing file permissions. We recommend admins manually check the permissions for the `env` binary and take any action as appropriate.
SureMDM Linux Sensitive Information Disclosure
If a local user is able to monitor local processes or localhost network connections, for example using a tool like pspy, it is possible to intercept credentials for accounts with sudo or root privileges when activating SureLock.
Timeline
This timeline represents the major communication points between Immersive Labs (IML) and 42 Gears. Additional emails asking for status updates and feedback were also sent during this period but are not recorded here for brevity.
6 July: IML Email to 42 Gears asking for contact details to report vulnerabilities
6 July: 42 Gears’ support team ask for access to our SureMDM Console
6 July: IML explain this is a vulnerability in the agent application
8 July: IML send details on the Local Privilege Escalation
12 July: 42 Gears confirm the vulnerability is present
12 July: IML report additional security related concerns found in the agent. Hard coded root credentials, chmod 777 of system files and other hard coded credentials.
26 – 28 July: Takes a few emails to clarify the additional security concerns around chmod 777 of system files leading to privilege escalation.
5 August: IML request update and offer to help test updates
22 August: IML request update
7 September: 42 Gears release a new public version 3.0.4 (No mention of security issues in changelog)
10 September: IML informs 42 Gears the patch has not fixed any of the issues. It has also added 2 additional information disclosures where the credentials are being disclosed
28 September: 42 Gears release a new public version 3.0.5 (No mention of security issues in changelog)
2 October: IML informs 42 Gears this patch still does not fully resolve any of the reported issues.
2 October: IML informs 42 Gears there is now a Remote Code Exec vulnerability that has been introduced by the latest patch
4 October: IML asked to share findings with another team at 42 Gears
5 October: 42 Gears confirm RCE is valid and ask for a conference call to be set up
6 October: Sync call with IML and 42 Gears
42 Gears asked for 1 month to fully resolve all issues and then additional time to work with On Prem customers to update their solutions. IML agree not to publish until we are happy that issues are resolved.
4 November: IML ask for update and report an unauthenticated Stored XSS in the management console affecting every customer. This is due to no auth or validation between Agent and Server
5 November: 42 Gears confirm the XSS and acknowledge default is no authentication. There is a “require password” setting for enrolment that can be enabled by customers to limit this
5 November: IML inform 42 Gears this “required password” feature is bypassed for Linux and Mac agents.
8 November: 42 Gears share private release 3.1.3
9 November: IML informs 42 Gears that all except the chmod 777 issue is resolved in this release
15 November: 42 Gears shares private release 3.1.8 and informs IML the XSS has been resolved in one of the fields but is still present in several other fields
17 November: 42 Gears inform IML the Agent patches will be released 19th November
17 November: IML shares a detailed example of how the XSS and Auth bypass can be chained to run arbitrary code on every device managed by SureMDM
19 November: 42 gears report XSS via agent payload as resolved in production.
24 November: Linux Agent 3.1.9 released
16 December: 42 Gears report a performance impact from the XSS checks and advise that XSS and Auth Bypass will be released in January
23 January: 42 Gears responded with an update that they were continuing to apply additional mitigations above and beyond those reported by Immersive Labs.
Proof Of Concept
In an upcoming blog post, Immersive Labs will be releasing the Proof of Concept (PoC) code for the Linux RCE and Local Privilege Escalation vulnerabilities, which were both disclosed in July and have been patched since November.
For more information about Immersive Labs and our technical offerings, book a demo below.