Northern.tech Mender Server Improper Access Control Vulnerability in Device Groups

A vulnerability has been identified in Northern.tech Mender Server versions prior to 3.7.11 and 4.x prior to 4.0.1, allowing for incorrect access control of device groups. This issue can lead to users having access to more devices and actions than intended, particularly in environments using the Role-Based Access Control (RBAC) system. The vulnerability could be exploited to read information about devices or groups outside of the user's permissions, deploy updates to unauthorized devices, or delete dynamic groups without proper access.

Impact

Exploitation of this vulnerability could result in unauthorized access to additional devices and permissions, allowing a user to deploy updates or delete groups they should not have access to.

Remediation

Users are advised to upgrade to Mender Server version 4.0.1 or later. For those on hosted Mender, the vulnerability has already been patched. Instructions for upgrading can be found in the Mender documentation.