Several flaws in 42Gears’ SureMDM device management solutions might have led to a supply chain compromise for any company that used the platform. 42Gears is a mobile device management and productivity company established in Bangalore, India. It caters to businesses with a big mobile workforce. Deloitte, Saab, Lufthansa, Tesco, Thales, Intel, and other notable clients are listed on the company’s website.
On July 6, 2021, researchers at Immersive Labs found and revealed the first weakness to 42Gears. A series of further vulnerability disclosures, combined with ‘failed’ private fixes (one of which added a new vulnerability), delayed the delivery of effective public patches until November 2021 and January 2022. 42Gears told Immersive on January 23, 2022 that they were continuing to implement further mitigations beyond those reported by the researchers. Immersive believed they had completed all steps necessary to assure their standards of responsible disclosure, and they were ready to disclose their results.
Some of the vulnerabilities affected the 42Gears online console, while others affected the Linux agent. The flaws in the web console are the most worrying. By connecting them, an attacker may deactivate security protections and install malware on any Linux, macOS, or Android device using SureMDM. The Linux agent flaws would let attackers obtain root user privileges and execute programs remotely.
Spoofing the SureMDM agent is one of the web console vulnerabilities. Because no authentication is needed between the agent and the server for Linux and Mac devices, an attacker might register a phony device or, if possible, spoof a known device and transmit incorrect data to the server.
The user can enable an authentication method, but a flaw in the setup allows Linux and Mac devices to skip the authentication step. Although this has been fixed in the most recent patch, it is still not the default setting and must be enabled manually by the user. An XSS flaw in the console would allow attackers to inject JavaScript code into the main page of the console, which would be executed every time it was loaded or refreshed. Aside from logging onto the dashboard, the user would not need to do anything else.
“By combining three of these vulnerabilities and some additional features of the agent,” write the researchers, “it would be possible for an attacker to gain remote code execution on every device that is currently managed by SureMDM across all customer accounts.”
There would be no need for unique customer information, authentication, or current access to SureMDM. All procedures may be automated, and code execution can happen as soon as an organization logs into its SureMDM account. Command injection on the Linux agent is one of the SureMDM agent flaws. Users with physical access to a device can start SureLock (kiosk software included with SureMDM) as the root user using a concealed key sequence. The attacker can then acquire local privilege escalation by using command injection.
By delivering a specially designed packet to a port that will execute commands as the root user, attackers accessing the local network through the Linux agent can get RCE on target servers. If the user disables the SureLock component, the host system is subjected to a series of too-liberal ‘chmod 777’ instructions. An attacker might use these with local access to achieve root privileges. Finally, if a local user can monitor local processes or localhost network connections, that person may use pspy to capture SureLock credentials for accounts with sudo or root capabilities.
Although all publicly publicized vulnerabilities have been patched, it is critical for all SureMDM users to make sure they are running the most recent version of the program. It is also recommended that they switch on the device authentication option manually.
