Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybersecurity Funding

SureMDM Vulnerabilities Exposed Companies to Supply Chain Attacks

A series of vulnerabilities in 42Gears’ SureMDM device management products could have resulted in a supply chain compromise against any organization using the platform.

A series of vulnerabilities in 42Gears’ SureMDM device management products could have resulted in a supply chain compromise against any organization using the platform.

42Gears was founded in 2009. It is based in Bangalore, India, and provides mobile device management and productivity products for organizations with a large mobile workforce. Its website lists a range of major customers (without specifying which products they use) including Deloitte, Saab, Lufthansa, Tesco, Thales, Intel and many others.

Researchers at Immersive Labs discovered and disclosed the first vulnerability to 42Gears on July 6, 2021. A series of additional vulnerability disclosures together with ‘failed’ private patches (including a new vulnerability introduced by one of the private patches) meant that effective public patches were not released until November 2021 and January 2022.

On January 23, 2022, 42Gears informed Immersive that they were continuing to apply additional mitigations beyond those reported by the researchers. By this time, Immersive felt they had done everything necessary to ensure their own principles of responsible disclosure, and they could publish their findings.

The discovered vulnerabilities included some affecting the 42Gears web console and others affecting the Linux agent. The web console vulnerabilities are the most concerning. Chaining them could allow an attacker to disable security tools and install malware onto every Linux, MacOS or Android device with SureMDM installed.

The Linux agent vulnerabilities would allow attackers to gain remote code execution on the devices as the root user.

The web console vulnerabilities include spoofing the SureMDM agent. Since no default authentication is required for Linux and Mac devices between the agent and the server, an attacker could register a fake device, or if possible, spoof a known device and send bad data to the server.

An authentication method can be turned on by the user, but an oversight in the setup allows Linux and Mac devices to bypass the authentication step. This has been fixed in the latest patch, but it is still not the default setting and requires the user to manually enable it.

Advertisement. Scroll to continue reading.

An XSS vulnerability in the console would allow attackers to inject JavaScript code that would be executed whenever the main page of the console was loaded or refreshed. No additional interaction would be required from the user beyond logging into the dashboard.

“By combining three of these vulnerabilities and some additional features of the agent,” write the researchers, “it would be possible for an attacker to gain remote code execution on every device that is currently managed by SureMDM across all customer accounts.” No knowledge of specific customers, authentication or existing access to SureMDM would be required.

All the steps involved can be automated and can achieve code execution within seconds of an organization logging into their SureMDM account.

The SureMDM agent vulnerabilities include command injection on the Linux agent. Users with physical access to a device can use a hidden key sequence to launch SureLock (kiosk software included with SureMDM) as the root user. The attacker can then use command injection to gain local privilege escalation.

Attackers with access to the local network with the Linux agent can gain RCE on target servers by sending a specially constructed packet to a port that will execute commands as the root user.

If the SureLock component is disabled by the user, a set of over-permissive `chmod 777` commands are executed on the host system. An attacker with existing local access could use these to gain root privileges.

Finally, if a local user can monitor local processes or localhost network connections, that user could use something like pspy to intercept credentials for accounts with sudo or root privileges when activating SureLock.

Immersive Labs intends to publish proof of concept code for the Linux RCE and local privilege escalation vulnerabilities (which were both disclosed in July 2021 and have been patched since November 2021) in a separate blog. Although all the disclosed vulnerabilities have now been patched, it is essential for all SureMDM users to ensure that they are using the latest version of the software. It is also advised that they manually turn on the device authentication option.

Immersive Labs is a cybersecurity skills development company. It was founded in 2017 in Bristol, UK by James Hadley (CEO); a former employee of the UK’s GCHQ intelligence agency. The company raised $75 million in a Series C funding round in June 2021.

Related: MITRE ATT&CK Used for Cybersecurity Skills Development

Related: Vulnerabilities Found in Aviatrix Enterprise VPN

Related: Widely Used Kiosks Compromised by Hardcoded Credentials

Related: Immersive Labs Raises $40 Million for Cyber Skills Platform

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.