Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1410: A Red Team Perspective on the Device42 Asset Management Appliance

OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.

CVE
#vulnerability#cisco#rce#auth

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial

Modern IT environments rely on automatic discovery, asset management, and dependency mapping.

Whether based on agents or completely agentless, these tools allow IT infrastructure managers to create a complete inventory of networked devices, servers and hypervisors, applications, and more.

While investigating the Device42 platform, we found multiple severe security issues exploitable by attackers with any level of access within the host network.

By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the appliance files and database (through remote code execution).

By daisy-chaining multiple vulnerabilities, an attacker can achieve remote code execution with root privileges starting from an unauthenticated session:

  • Authentication bypass with an unauthenticated local file inclusion vulnerability discovered in the Exago reports component by extracting valid session IDs of authenticated users
  • Remote code execution by creating an autodiscovery task (*nix/CISCO NX-OS) with crafted RCE payload as username

Besides these critical vulnerabilities, we also identified a remote code execution vulnerability in the appliance manager component.

The full research paper is available for download below:

Download the Whitepaper

Mitigation

Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices and then to responsible disclose our findings to the affected vendors so they can work on fixes. Once these fixes become available, they should be immediately deployed by organizations already running vulnerable versions of the app. Vulnerable instances of the Device42 appliance should be updated to version 18.01.00 to prevent exploitation.

We would like to extend our thanks to the Device42 team for working with us and quickly making a fix available.

Related news

Critical Flaws Disclosed in Device42 IT Asset Management Software

Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. "By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

Four serious security issues on the popular appliance could be exploited by hackers with any level of access within the host network, Bitdefender researchers say.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907