Researchers detailed numerous severe security issues on the Device42 platform that opens the door to attackers.
Device42 provides device discovery, asset management, and dependency mapping for data centers and the cloud. The vulnerabilities were found in an audit of a Device42 appliance within two instances of the application. (product instance and staging instance)
Researchers found that with the product instance, access was available to all company employees through a single sign-on, with the researchers having the same access as any employee, including access to the Advanced Reporting feature.
On the staging instance, access was with a username and password with administrative permissions in place, but by exploiting a remote command execution, the researchers were able to gain full root access and could further explore the entire available code.
An attacker, exploiting the issue could impersonate other users and through cross-site scripting obtain admin-level access to the application or full access to the appliance files and database via RCE.
The researchers claim that an attacker can achieve RCE with root privileges starting from an unauthenticated session. These include an authentication bypass with an unauthenticated local file inclusion vulnerability in Device42’s code access by extracting valid session IDs of authenticated users.
The researchers also found an RCE vulnerability in the appliance manager component and a server-side request forgery vulnerability in the Exago Reports component.
Issue Road map
- The vulnerabilities were discovered earlier this year 2022.
- Submitted them to Device42 on Feb. 18.
- Researchers explained and demonstrate the vulnerabilities to Device42 in a briefing call on March 16.
- CVE numbers for the vulnerabilities is reserved by April 20 .
- Device42 finally released version 18.01.00 to address the vulnerabilities on July 20.
It is recommended and advised all Device42 users running product versions update immediately to the latest version.
This research was documented by researchers from Bit defender