Northern.tech Mender Client Insecure Permissions Vulnerability in Private Key File

A vulnerability exists in Northern.tech Mender Client versions 4.0.0 through 4.0.4, where private key files generated on devices may be improperly accessible to other users due to lax file permissions. This issue arises because the Mender authentication process creates a private key file with read permissions for other users, and these permissions are not corrected, potentially allowing unauthorized access to the key.

Impact

Exploiting this vulnerability could enable unauthorized users or processes on the device to read the private key file, which could then be used to impersonate the device when communicating with the Mender Server. This could allow an attacker to download updates or manipulate inventory information for the device.

Reproduction

To reproduce this vulnerability, install Northern.tech Mender Client version 4.0.0, 4.0.1, 4.0.2, 4.0.3, or 4.0.4. After the installation, check the permissions of the private key file located at '/var/lib/mender/mender-agent.pem'. If the file permissions are set to '-rw-r--r--', the device is affected by the vulnerability.

Remediation

Upgrade to Northern.tech Mender Client version 4.0.5 or later, which enforces stricter permissions on the private key file. If an upgrade is not possible, manually change the file permissions using the 'chmod' command to remove read access for other users.