Nerves Hub Web Improper Authorization Vulnerability Allows Cross-Organization Device Control

A critical improper authorization vulnerability has been identified in the Nerves Hub Web device bulk actions and update API endpoints. This vulnerability allows authenticated users to manipulate device identifiers and target devices belonging to other organizations, performing actions beyond their authorized privileges. Exploitation could involve moving devices to different products, interfering with firmware updates, or disrupting device connectivity. In environments with remote console access, this could lead to a complete compromise of the affected devices. The vulnerability affects Nerves Hub Web versions 1.0.0 prior to 2.4.0.

Impact

Exploitation of this vulnerability could result in unauthorized control over devices in other organizations, allowing for management actions that could disrupt normal device operations or interfere with firmware updates. In some cases, this could lead to a full compromise of the devices, especially if remote console access is available.

Reproduction

The vulnerability can be reproduced by an authenticated user who manipulates device identifiers to target devices in other organizations. This can be done through the device bulk actions or update API endpoints. Once the devices are selected, the user can perform management actions on them, such as moving them to different products.

Remediation

Users can update to Nerves Hub Web version 2.4.0 or later to address this vulnerability.