A chain of vulnerabilities in 42Gears' SureMDM device management products could have led to a supply chain disruption via the platform. 42Gears, based in Bangalore, was established in 2009 and offers mobile device management and productivity products for organizations with an extensive mobile workforce.
The website's list consists of major customers, which include Deloitte, Saab, Lufthansa, Thales, Tesco, Intel, etc. Experts at Immersive Labs found and revealed the first flaws to 42Gears on July 6, 2021. A series of extra bugs disclosure along with 'failed' private security patches.
It means efficient public security fixes were not issued until November 2021 and January 2022.
"An authentication method can be turned on by the user, but an oversight in the setup allows Linux and Mac devices to bypass the authentication step. This has been fixed in the latest patch, but it is still not the default setting and requires the user to manually enable it," reports Security Week. Earlier in January, 42Gears told Immersive that they continuously applied additional patches beyond the reports by the experts.
At this moment, Immersive thought that everything necessary for ensuring principles of trustworthy disclosure was done, and they could publicize their discovery. The identified vulnerabilities include a few that affect the 42Gears web console and also other Linux agents.
But most critical are the web console vulnerabilities. Chaining these will allow a hacker to shut down security tools and enable malware into macOS, Linux, or Android devices that installed SureMDM.
The Linux agent flaws can allow an attacker to execute remote code on the systems, mirroring the root user.
Hackers can use authentication methods against the users via an oversight in the setup that lets Mac and Linux devices evade the authentication level. Security Week reports, "the SureMDM agent vulnerabilities include command injection on the Linux agent. Users with physical access to a device can use a hidden key sequence to launch SureLock (kiosk software included with SureMDM) as the root user. The attacker can then use command injection to gain local privilege escalation."