New SureMDM vulnerabilities could expose companies to supply chain attacks

A number of security vulnerabilities have been disclosed in 42 Gears’ SureMDM device management solution that could be used by attackers to compromise the supply chain against affected organizations.

The cybersecurity company Immersive Labs, in a technical writing detailing the findings, said 42Gears released a series of updates between November 2021 and January 2022 to address multiple flaws affecting both the platform’s Linux agent and web console.

Automatic GitHub backups

The India-based company SureMDM is a cross-platform mobile device management service that enables enterprises to remotely monitor, manage and secure their fleet of company-owned machines and employee-owned devices. 42Gears complaints that SureMDM is used by more than 10,000 companies worldwide.

Issues identified in the Web Dashboard are also critical in nature, potentially allowing an attacker to obtain code execution on individual devices, desktops, or servers. Furthermore, they could allow the injection of malicious JavaScript code as well as make possible the registration of malicious devices and even the spoofing of existing devices without any authentication.

“By chaining vulnerabilities affecting the web console, an attacker could disable security tools and install malware or other malicious code on every Linux, macOS or Android device that has SureMDM installed,” said Kev Breen, Director threat research at Immersive Lab. “An attacker does not need to know customer details to achieve this or even have an account on SureMDM.”

Prevent data breaches

This could then take the form of a supply chain attack in which the exploit could be executed when a user logs into the SureMDM console, leading to the compromise of every managed device in the organization.

The second set of security weaknesses affects SureMDM’s Linux agent up to and including version 3.0.5, which could allow an adversary to remotely execute code on hosts as the root user. “This vulnerability could also be exploited with local access to affected hosts to elevate privileges from the standard user to the root user,” Breen added.

Comments are closed.