Code injection via device inventory?

mister_kanister · May 29, 2024, 1:11pm

Good Day, Friends!

I’m working on an mender artifact that will extend the device inventory. It is a more general question about security because I do not understand the implications.

Via --type script update module I have create an inventory file on the fly.

# realpath mender-inventory-basic-info 
/usr/share/mender/inventory/mender-inventory-basic-info
# cat /usr/share/mender/inventory/mender-inventory-basic-info
#!/bin/sh
echo 'uptime'=$(uptime -p)
echo 'uptime_date'=$(uptime -s)

Our devices are not temper proof and can be modified by the “customer” as they please.

To which risks is the mender backend exposed in such a case?
Is it possible to perform code injection with device inventory info?
Assume the customer modified the device inventory in such a way that it will produce malicious mongodb queries that will attack the backend. How realistic is this?

It is a more theoretical discussion.

TheYoctoJester · June 3, 2024, 3:22pm

Hi @mister_kanister,

Interesting question! Thinking a bit about it, the question expands to: “what if an attacker controls an authenticated device?”. As far as I know, at some point API throttling will occur, but maybe @kjaskiewiczz can share some more information.

Greets,
Josef

Topic		Replies	Views
Inventory update after accepting a device General Discussions	8	572	April 14, 2023
Pushing variables from server to client General Discussions	6	739	October 5, 2020
Apply a deployment for a specific device General Discussions api , mender-client , management-api	0	40	June 12, 2024
Removing inventory attribute General Discussions	2	206	August 9, 2023
[opinion] modifications to the Device groups attributes General Discussions	4	632	March 27, 2020

Code injection via device inventory?

Related Topics