Northern.tech Mender Enterprise Server Improper Access Control Vulnerability in Device Group RBAC

An access control vulnerability has been identified in Northern.tech Mender Enterprise Server versions prior to 4.1.1. This issue arises from a flaw in the role-based access control (RBAC) system, where users could inadvertently gain higher access levels than intended. Specifically, if an administrator assigned different access levels to devices through separate device groups, the user would end up with elevated privileges across both groups, potentially leading to unauthorized management of devices.

Impact

Exploitation of this vulnerability could result in a user gaining unauthorized access to manage devices across multiple groups, beyond what was intended by the administrator. In a multi-tenant environment like hosted Mender, this could allow an attacker to manipulate devices of other users. However, for on-premise installations, the impact is likely limited due to fewer users and the difficulty of accessing accounts with the necessary permissions.

Remediation

Users of Northern.tech Mender Enterprise Server should upgrade to version 4.1.1 or 4.0.2. Detailed upgrade instructions are available in the Mender documentation.