A series of vulnerabilities in 42Gears’ SureMDM device management products could have resulted in a supply chain compromise against any organization using the platform.
42Gears was founded in 2009. It is based in Bangalore, India, and provides mobile device management and productivity products for organizations with a large mobile workforce. Its website lists a range of major customers (without specifying which products they use) including Deloitte, Saab, Lufthansa, Tesco, Thales, Intel and many others.
Researchers at Immersive Labs discovered and disclosed the first vulnerability to 42Gears on July 6, 2021. A series of additional vulnerability disclosures together with ‘failed’ private patches (including a new vulnerability introduced by one of the private patches) meant that effective public patches were not released until November 2021 and January 2022.
On January 23, 2022, 42Gears informed Immersive that they were continuing to apply additional mitigations beyond those reported by the researchers. By this time, Immersive felt they had done everything necessary to ensure their own principles of responsible disclosure, and they could publish their findings.
The discovered vulnerabilities included some affecting the 42Gears web console and others affecting the Linux agent. The web console vulnerabilities are the most concerning. Chaining them could allow an attacker to disable security tools and install malware onto every Linux, MacOS or Android device with SureMDM installed.
The Linux agent vulnerabilities would allow attackers to gain remote code execution on the devices as the root user.
The web console vulnerabilities include spoofing the SureMDM agent. Since no default authentication is required for Linux and Mac devices between the agent and the server, an attacker could register a fake device, or if possible, spoof a known device and send bad data to the server.
An authentication method can be turned on by the user, but an oversight in the setup allows Linux and Mac devices to bypass the authentication step. This has been fixed in the latest patch, but it is still not the default setting and requires the user to manually enable it.
“By combining three of these vulnerabilities and some additional features of the agent,” write the researchers, “it would be possible for an attacker to gain remote code execution on every device that is currently managed by SureMDM across all customer accounts.” No knowledge of specific customers, authentication or existing access to SureMDM would be required.
All the steps involved can be automated and can achieve code execution within seconds of an organization logging into their SureMDM account.
The SureMDM agent vulnerabilities include command injection on the Linux agent. Users with physical access to a device can use a hidden key sequence to launch SureLock (kiosk software included with SureMDM) as the root user. The attacker can then use command injection to gain local privilege escalation.
Attackers with access to the local network with the Linux agent can gain RCE on target servers by sending a specially constructed packet to a port that will execute commands as the root user.
If the SureLock component is disabled by the user, a set of over-permissive `chmod 777` commands are executed on the host system. An attacker with existing local access could use these to gain root privileges.
Finally, if a local user can monitor local processes or localhost network connections, that user could use something like pspy to intercept credentials for accounts with sudo or root privileges when activating SureLock.
Immersive Labs intends to publish proof of concept code for the Linux RCE and local privilege escalation vulnerabilities (which were both disclosed in July 2021 and have been patched since November 2021) in a separate blog. Although all the disclosed vulnerabilities have now been patched, it is essential for all SureMDM users to ensure that they are using the latest version of the software. It is also advised that they manually turn on the device authentication option.
Immersive Labs is a cybersecurity skills development company. It was founded in 2017 in Bristol, UK by James Hadley (CEO); a former employee of the UK’s GCHQ intelligence agency. The company raised $75 million in a Series C funding round in June 2021.