A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according to Bitdefender.
By exploiting a remote code execution (RCE) vulnerability in the staging instance of the platform, attackers could successfully obtain full root access and gain complete control of the assets housed inside, Bitdefender researchers wrote in the report. The RCE vulnerability (CVE-2022-1399) has a base score of 9.1 out of 10 and is rated "critical," explains Bogdan Botezatu, director of threat research and reporting at Bitdefender.
"By exploiting these issues, an attacker could impersonate other users, obtain admin level access in the application (by leaking session with a LFI) or obtain full access to the appliance files and database (through remote code execution)," the report noted.
RCE vulnerabilities allow attackers to manipulate the platform to execute unauthorized code as root — the most powerful level of access on a device. Such code can compromise the application as well as the virtual environment the app is running on.
To get to the remote code execution vulnerability, an attacker that has no permissions on the platform (such as a regular employee outside of the IT and service desk teams) needs to first bypass authentication and gain access to the platform.
Chaining Flaws in Attacks
This can be made possible through another vulnerability described in the paper, CVE-2022-1401, that lets anyone on the network read the contents of several sensitive files in the Device42 appliance.
The file holding session keys are encrypted, but another vulnerability present in the appliance (CVE-2022-1400) helps an attacker retrieve the decryption key that is hardcoded in the app.
"The daisy-chain process would look like this: an unprivileged, unauthenticated attacker on the network would first use CVE-2022-1401 to fetch the encrypted session of an already authenticated user," Botezatu says.
This encrypted session will be decrypted with the key hardcoded in the appliance, thanks to CVE-2022-1400. At this point, the attacker becomes an authenticated user.
"Once logged in, they can use CVE-2022-1399 to fully compromise the machine and gain complete control of the files and database contents, execute malware and so on," Botezatu says. "This is how, by daisy-chaining the described vulnerabilities, a regular employee can take full control of the appliance and the secrets stored inside it."
He adds these vulnerabilities can be discovered by running a thorough security audit for applications that are about to be deployed across an organization.
"Unfortunately, this requires require significant talent and expertise to be available in house or on contract," he says. "Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices, and then to responsible disclose our findings to the affected vendors so they can work on fixes."
These vulnerabilities have been addressed. Bitdefender received version 18.01.00 ahead of public release and was able to validate that the four reported vulnerabilities — CVE-2022-1399, CVE-2022-1400, CVE 2022-1401, and CVE-2022-1410 — are no longer present. Organizations should immediately deploy the fixes, he says.
Earlier this month, a critical RCE bug was discovered in DrayTek routers, which exposed SMBs to zero-click attacks — if exploited, it could give hackers complete control of the device, along with access to the broader network.