42 Gears has patched several vulnerabilities in its SureMDM (Mobile Device Management) devices after Immersive Labs found them. The patches affect both the Web Console and the Linux Agent, with at least one being marked as critical. The risk of not patching, according to Immersive Labs, is that the vulnerabilities “could allow attackers to perform a supply chain compromise against any organization using the platform.”
Kev Breen, Director of Cyber Threat Research, Immersive Labs, has written a blog listing the vulnerabilities. In all, there are nine, four in the SureMDM Web Console and five in the Linux Agent. The blog also lists the timeline from initial discovery to remediation.
That timeline shows that the first contact was in July 2021, with 42 Gears issuing its first patch in September 2021. However, it seems that it fixed none of the problems that Immersive Labs had reported. It was mid-November before a release was shared with customers fixing most problems. The last issues were resolved by 42 Gears on 23 January, more than six months after the process started.
A long list of serious vulnerabilities
This is not just about a set of vulnerabilities. It is that these vulnerabilities can be combined to create new risks to customers. Breen writes: “By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed. An attacker does not need to know customer details to achieve this or even have an account on SureMDM.”
To compound the problem, while attempting to fix issues reported by Immersive Labs, 42 Gears introduced at least one additional vulnerability.
The list of vulnerabilities includes:
- Local Privilege Escalation
- Hardcoded credentials, including root
- Agent spoofing
- Authorisation bypass
- Cross-site scripting (XSS)
- Remote control execution (RCE)
Enterprise Times: What does this mean?
Over the last two years, employees’ use of personal devices has rocketed. Organisations need to manage those devices, and this is where MDM products have surged. Over the last two years, 42 Gears has invested heavily in SureMDM. Last year alone, it added Mobile Threat Defense and a developer portal. It also announced support for more devices and announced new customers.
There are multiple issues in this blog that will concern 42 Gears customers. The first is the length of time it took to get things fixed. Second, the release of multiple patches that did nothing or were incomplete. Third, is that one patch introduced a new RCE. It raises the question of how thoroughly 42 Gears was testing its patches before releasing them.
Later this year, Immersive Labs will release proof of concept code for the Linux RCE and local privilege vulnerabilities. It is only doing so because 42 Gears has now properly patched them. However, those customers using SureMDM will want to ensure they are running the latest version of the product.
