Bitdefender warns of vulnerability in IT asset management platform Device42

With the widely used Device42 platform, IT administrators can manage hardware, software, devices and networks across their organization in both on-premises and cloud environments. The widely used management platform automatically discovers assets and records their dependencies on each other. Bitdefender Labs experts found a vulnerability that allowed hackers to remotely execute code in the platform's staging environment. They were also able to gain full root access, giving them complete control over victim IT's internal assets. After intensive cooperation with Bitdefender Labs, Device42 has now closed the vulnerability. Users are prompted to immediately update their solution to version 18.01.00 or later.

The experts at Bitdefender Labs found several serious vulnerabilities in the Device42 platform appliance. Hackers could exploit them with any level of access to the attacked company's network. So they were able to map a legitimate user via Cross Site Scripting (XSS). They also received administrator access to the Device42 solution by listening to a session with Local File Inclusion (LFI). In this way, hackers gained Remote Code Execution (RCE) rights with root privileges by participating in a session without authentication. This resulted in critical secondary risks such as extracting valid session IDs of authenticated users or remote code execution through an autodiscovery task. The attackers were also able to run remote code in Device42's Compliance Manager component. Attackers obtained the necessary access data by exploiting the vulnerabilities described in the Bitdefender Labs report.