and can be used for ordinary browsing. However, it can be leveraged by an attacker to bypass network security and access network services running on the Mender Server. The Mender Server is available on the Internet and can be reached by other clients. An attacker can connect to the Mender Server by setting up a front-end component such as a web server, load balancer, or monitoring device and access it directly. Due to the unprivileged TCP port and the device-specific client certificate and key, the attacker can make requests to the Mender Server with the device's user credentials. Remotely accessing the Mender Server with the attacker's user credentials allows the attacker to leverage the remote access feature of the Mender Server to gain access to the internal network of the Mender Device. In Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2, the default configuration doesn't allow access to the Mender Server by non-administrative users. However, if non-administrative users are able to access the Mender Server and make requests to it, they can access internal data on the Mender Device. Access to the Mender Server by non-administrative users doesn't represent a direct threat to the device's data integrity and security, because it allows a user to perform ordinary remote operations such as setting up a monitor and changing settings. However, if an attacker is able to access the Mender Server, he can

Mender Device

A Mender Device is a device that runs the Mender Server software (version 3.2.0, 3.2.1, or 3.2.2) and implements Northern.tech's Mender technology for remote management of a network of devices running the Mender Server software that are connected to the Internet via port 443 without requiring administrative privileges on all the connected devices. The default configuration doesn't allow non-administrative users to access the Mender Server by default, but it does allow them to perform operations such as setting up monitors and changing settings remotely, which may allow an attacker to access internal data on a Mender Device without the device owner's knowledge or permission.

Mender Device Overview

A Mender Device is a device that monitors services running on its local computer, such as web servers and database servers. The Mender Device can also be used for ordinary browsing.
However, it can be leveraged by an attacker to bypass network security and access network services running on the Mender Server.
The Mender Server is available on the Internet and can be reached by other clients. An attacker can connect to the Mender Server by setting up a front-end component such as a web server, load balancer, or monitoring device and access it directly. Due to the unprivileged TCP port and the device-specific client certificate and key, the attacker can make requests to the Mender Server with the device's user credentials. Remotely accessing the Mender Server with the attacker's user credentials allows the attacker to leverage the remote access feature of the Mender Server to gain access to the internal network of the Mender Device.  In Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2, there is no way for administrative users (Menders) who have been authenticated by remote management tools such as CLI or RDP to specifically block non-administrative users from accessing remote services on Linux systems when they are authenticated by admin/mgr authentication options in these versions of NorthernTecn's software.

Remotely accessing the Mender Server with Man-in-the-middle (MitM) attack

Remotely accessing the Mender Server with a MitM attack is another way an attacker can leverage the remote access feature of the Mender Server to gain access to the internal network of the Mender Device. In Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2, an attacker needs to be authenticated by a valid administrator account or have their valid device-specific client certificate and key in order to make requests to the Mender Server with their user credentials as mentioned above. However, if an attacker is able to obtain an authorization token (for example, after exploiting a known vulnerability in Northern Tech's software), they can use that token to impersonate a valid administrator account or request data from the Mender Server without being authenticated. The attacker then has full control over remotely accessing the Mender Device's internal network and anything running on it including its web server, load balancer, monitoring device and other components exposed via HTTP protocol integration (HTTP/HTTPS).

Timeline

Published on: 07/06/2022 12:15:00 UTC
Last modified on: 07/14/2022 21:50:00 UTC

References