A Red Team Perspective on the Device42 Asset Management Appliance

Modern IT environments rely on automatic discovery, asset management, and dependency mapping.

Whether based on agents or completely agentless, these tools allow IT infrastructure managers to create a complete inventory of networked devices, servers and hypervisors, applications, and more.

While investigating the Device42 platform, we found multiple severe security issues exploitable by attackers with any level of access within the host network.

By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the appliance files and database (through remote code execution).

By daisy-chaining multiple vulnerabilities, an attacker can achieve remote code execution with root privileges starting from an unauthenticated session:

• Authentication bypass with an unauthenticated local file inclusion vulnerability discovered in the Exago reports component by extracting valid session IDs of authenticated users
• Remote code execution by creating an autodiscovery task (*nix/CISCO NX-OS) with crafted RCE payload as username

Besides these critical vulnerabilities, we also identified a remote code execution vulnerability in the appliance manager component.

The full research paper is available for download below:

Download the Whitepaper

Mitigation

Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices and then to responsible disclose our findings to the affected vendors so they can work on fixes. Once these fixes become available, they should be immediately deployed by organizations already running vulnerable versions of the app. Vulnerable instances of the Device42 appliance should be updated to version 18.01.00 to prevent exploitation.

We would like to extend our thanks to the Device42 team for working with us and quickly making a fix available.