Important Flaws Disclosed in Device42 IT Asset Administration Software program


Cybersecurity researchers have disclosed a number of extreme safety vulnerabilities asset administration platform Device42 that, if efficiently exploited, may allow a malicious actor to grab management of affected programs.

“By exploiting these points, an attacker may impersonate different customers, receive admin-level entry within the utility (by leaking session with an LFI) or receive full entry to the equipment recordsdata and database (via distant code execution),” Bitdefender stated in a Wednesday report.

CyberSecurity

Much more concerningly, an adversary with any degree of entry inside the host community may daisy-chain three of the issues to bypass authentication protections and obtain distant code execution with the best privileges.

Device42 IT Asset Management Software

The problems in query are listed under –

  • CVE-2022-1399 – Distant Code Execution in scheduled duties part
  • CVE-2022-1400 – Laborious-coded encryption key IV in Exago WebReportsApi.dll
  • CVE 2022-1401 – Inadequate validation of supplied paths in Exago
  • CVE-2022-1410 – Distant Code Execution in ApplianceManager console
Device42 IT Asset Management Software

Essentially the most essential of the weaknesses is CVE-2022-1399, which makes it potential to execute bash directions via command injection and with root permissions, granting the attacker full management over the underlying equipment.

CyberSecurity

Though distant code execution can’t be achieved by itself, it may be stringed along with CVE 2022-1401 and CVE-2022-1400 to extract legitimate session identifiers of already authenticated customers by profiting from a native file inclusion vulnerability found within the Exago reporting part.

Following accountable disclosure by the Romanian cybersecurity agency on February 18, the issues have been addressed by Device42 in model 18.01.00 launched on July 7, 2022.