Researchers at S.C. Bitdefender SRL today detailed multiple severe security issues on the Device42 Inc. platform that opens the door to attackers.
Device42 offers devices for discovery, asset management and dependency mapping for data centers and the cloud. The vulnerabilities were found in an audit of a Device42 appliance within two instances of the application — the product instance and the staging instance.
The results of the audit were not favorable for Device42. The researchers found that with the product instance, access was available to all company employees through a single sign-on, with the researchers having the same access as any employee, including access to the “Advanced Reporting” feature.
On the staging instance, access was with a username and password with administrative permissions in place, but by exploiting a remote command execution, the researchers were able to gain full root access and could further explore the entire available code.
By exploiting these issues, an attacker could impersonate other users and through cross-site scripting obtain admin-level access to the application or full access to the appliance files and database via RCE.
By chaining the multiple vulnerabilities, the researchers claim that an attacker can achieve remote code execution with root privileges starting from an unauthenticated session. These include an authentication bypass with an unauthenticated local file inclusion vulnerability in the Exago reports in Device42’s code access by extracting valid session IDs of authenticated users. Remote code execution is also possible by creating an autodiscovery task with a crafted RCE payload as a username.
On top of the critical vulnerabilities, the researchers also found an RCE vulnerability in the appliance manager component and a server-side request forgery vulnerability in the Exago Reports component.
The vulnerabilities were discovered earlier this year. Bitdefender submitted them to Device42 Feb. 18. The response wasn’t quick, and Bitdefender had to explain and demonstrate the vulnerabilities to Device42 in a briefing call on March 16.
By April 20, Bitdefender reserved Common Vulnerabilities and Exposures numbers for the vulnerabilities. Forward to July 20, and Device42 finally released version 18.01.00 to address the vulnerabilities.
The report concludes with Bitdefender advising all Device42 users running product versions to update immediately to the latest version.