Vulnerabilities in SureMDM's device management platform could allow a supply chain attack, Immersive Labs researchers disclosed. Pictured: A visitor tries out a tablet computer next to a cloud computing and technology symbol at a technology trade fair in Germany. (Sean Gallup/Getty Images)

Researchers on Friday disclosed a number of vulnerabilities on the SureMDM device management platform marketed by India-based company 42 Gears that, when combined, could allow attackers to launch a supply chain attack on the platform.

In a blog post, researchers at Immersive Labs said the vulnerabilities affected the platform’s web console and its Linux agent. At least one of the vulnerabilities was considered critical, and between November 2021 and January 2022, the researchers said 42 Gears released a series of updates.

According to the Immersive Labs researchers, the more concerning set of vulnerabilities were the ones affecting the web console. These vulnerabilities could have let an attacker gain code execution over individual devices, desktops or servers using the SureMDM web dashboard. By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed.

The industry has seen more and more attackers focusing their effort on supply chain attacks as a way of amplifying their impact, with one recent example being Kaseya, said Jossef Harush, director of supply chain engineering at Checkmarx.

“We believe that the volume of supply chain attacks will increase in the upcoming years,” Harush said. “Vendors that provide such software should make the maximum effort to prevent those kinds of vulnerabilities, utilizing static analysis tools in the SDLC process.”

The vulnerabilities discovered in the 42 Gears SureMDM cloud-based device management solution by researchers at Immersive Labs are a big deal, said Casey Bisson, head of product growth at BluBracket. Bisson said individually, they are all problematic, but collectively they constitute a very serious risk for users. Additionally, Bisson said the workflow that led to a team building and shipping an app with so many vulnerabilities is particularly worrisome, even if we do not yet know the widespread impact of the vulnerabilities.

“Vulnerabilities like these are the unfortunate byproduct of the speed with which software is developed and shipped,” Bission said. “It’s easy to criticize each of them as obvious or easy to avoid with good engineering, but the reality is that many of these types of vulnerabilities are fairly common. Organizations have no idea what risks they have in their code because they don’t scan for them. There’s a systemic breakdown of processes and the application of key technologies that are allowing these vulnerabilities to get to market.”

42 Gears has become widely enough used to attract the attention of Immersive Labs, which is the most relevant data point here, said Casey Ellis, founder and CTO at Bugcrowd. Ellis said these vulnerabilities look to be fairly impactful, but what’s interesting is the amount of cooperation and collaboration in the timeline.

“Ideally, software would be perfect — but we know this isn’t always the case,” Ellis said. “After all, humans are responsible for writing it. The timeline and associated narrative demonstrates openness from 42 Gears in responding to external security feedback, and highly organized and professional conduct from Immersive Labs to ensure their research — and the subsequent protection of the users of 42 Gears — was as complete and conducted in as safe a manner as possible.”