N-able Ecosystem Agent Improper Certificate Validation ====================================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/n-able-ecosystem-agent-improper-certificate-validation.txt Product: N-able Ecosystem Agent V4 agent version 4.1.5.2597 or earlier, V5 agent version 5.1.3.2599 or earlier. Severity: Critical Type: Improper Certificate Validation CVE: CVE-2024-5445 Credits: This vulnerability was discovered by Harry Sintonen Description ----------- N-able N-central Remote Monitoring and Management (RMM) solution uses various components running at the endpoint host system to provide the services. One of the services is N-able Ecosystem Agent. This privileged agent runs on the host system, delivering various integration services. The N-able Ecosystem Agent communications towards the N-central server is improperly protected. The communication employs HTTPS with Transport Layer Security (TLS). However, the certificate validation is performed incorrectly. An attacker in a privileged network position can perform Attacker in The Middle attacks to the connections and tamper with the communications. During normal operation the Ecosystem Agent communicates towards the N-central server to perform an update check. The attacker performing the Attacker in The Middle attack can tamper with the Ecosystem Agent update check in a way that triggers the victim host system to download and execute arbitrary code. The code is executed as privileged SYSTEM user. This results in full compromise of the target host system. No user interaction is required, and the attack is invisible to the victim. The attack can be performed at any network position between the victim client and the N-central server. Typical low effort attack scenario would involve running a rogue access point that performs the attack. More advanced exploitation is possible by actors with privileged access to networking equipment. Details ------- HTTPS Transport Layer Security (TLS) depends on validation of trust. It is not merely enough to encrypt the communication towards a server, the client also must confirm the identity of the peer. The authentication aspect of HTTPS requires a trusted third party to sign server-side digital certificates. The HTTPS client must verify the authenticity of the server certificate to ensure secure communication. CWE-295: Improper Certificate Validation in N-able Ecosystem Agent ------------------------------------------------------------------ The N-able Ecosystem Agent server certificate validation is insufficient. Since the authenticity of the server certificate is not validated correctly, a third party in privileged network position can tamper with the communication between the client and the server. As a result, an attacker in a privileged network position (any point between the Ecosystem Agent and the N-central server) can perform an Attacker in The Middle attack. The communication between the Ecosystem Agent and the N-central server contains configuration information about Ecosystem Agent software updates that can be tampered with. By modifying the version information and download location within these communications, the Ecosystem Agent can be tricked into downloading and executing attacker provided code as SYSTEM user. No user interaction is required, and the attack is invisible to the victim. Proof of Concept ---------------- While a working Proof-of-Concept exploit for this vulnerability was developed, this information is not released. Recommendations --------------- After reporting this vulnerability, N-able released updated Ecosystem Agent versions that address the vulnerability. There are two different release series of the agent, v4 and v5, and the fix is included in them as follows: - v5 release series: 5.1.4.2473 or later - v4 release series: 4.1.5.2642 or later It Is highly recommended to update all installations to these versions (or later if available). Timeline -------- 2023-09-28 Vulnerability reported to N-able. 2024-01-30 N-able releases N-central 2023.9 HF1, stopping unnecessary Ecosystem Agent installations and thus limiting the impact. 2024-03-22 N-able releases Ecosystem Agent 5.1.4.2473. 2024-05-23 N-able releases Ecosystem Agent 4.1.5.2642. 2024-08-12 Challenged the N-able CVE-2024-5445 CVSS score of 3.8, as such incorrect low score can dissuade users from installing the update in a timely manner. 2024-08-20 N-able claims that "The vulnerability reported does not constitute an RCE, the Ecosystem agent is designed to run installation packages in a privileged context and the agent is doing what it should do when it receives such packages to install over the APIs." 2024-09-30 Released this advisory.