Critical Flaws Disclosed in Device42 IT Asset Management Software

Device42 IT Asset Management Software

Cybersecurity researchers have disclosed multiple severe
security vulnerabilities asset management platform Device42[1]
that, if successfully exploited, could enable a malicious actor to
seize control of affected systems.

“By exploiting these issues, an attacker could impersonate other
users, obtain admin-level access in the application (by leaking
session with an LFI[2]) or obtain full access
to the appliance files and database (through remote code
execution),” Bitdefender said[3]
in a Wednesday report.

CyberSecurity

Even more concerningly, an adversary with any level of access
within the host network could daisy-chain three of the flaws to
bypass authentication protections and achieve remote code execution
with the highest privileges.

Device42 IT Asset Management Software

The issues in question are listed below –

  • CVE-2022-1399 – Remote Code Execution in
    scheduled tasks component
  • CVE-2022-1400 – Hard-coded encryption key IV
    in Exago WebReportsApi.dll
  • CVE 2022-1401 – Insufficient validation of
    provided paths in Exago
  • CVE-2022-1410 – Remote Code Execution in
    ApplianceManager console

Device42 IT Asset Management Software

The most critical of the weaknesses is CVE-2022-1399, which
makes it possible to execute bash instructions through command
injection and with root permissions, granting the attacker full
control over the underlying appliance.

CyberSecurity

Although remote code execution cannot be achieved by itself, it
can be stringed together with CVE 2022-1401 and CVE-2022-1400 to
extract valid session identifiers of already authenticated users by
taking advantage of a local file inclusion[4]
vulnerability discovered in the Exago reporting component.

Following responsible disclosure by the Romanian cybersecurity
firm on February 18, the flaws were addressed by Device42 in
version 18.01.00[5]
released on July 7, 2022.

References

  1. ^
    Device42
    (www.device42.com)
  2. ^
    LFI
    (en.wikipedia.org)
  3. ^
    said
    (www.bitdefender.com)
  4. ^
    local
    file inclusion
    (en.wikipedia.org)
  5. ^
    version
    18.01.00
    (support.device42.com)

Read more

Leave a Reply