Security Advisory for Windows MDM Agent

Introduction

As a part of Scalefusion’s vulnerability disclosure program we encourage third party developers, testers and security researchers to perform security testing and report/disclose the issues to us. We actively work with such reporters and resolve the issues as per the priorities and classification.

As part of this process, we were recently notified of an issue in the Scalefusion Windows MDM Agent. While we were actively working on resolving the problem, the researcher publicly disclosed the issue. Apart from the reported matter, four additional issues were disclosed without prior reporting.

We treat our Vulnerability Disclosure Program (VDP) with utmost seriousness and expect researchers to adhere to Responsible Disclosure practices. It is our duty to transparently communicate these vulnerabilities and outline the measures taken to address them.

List CVE’s reported

Our Analysis of the Findings

As per our analysis, these issues were either a result of misconfiguration or in certain cases known limitations that are documented. Here is a description of them:

Ability to Open File Explorer:

1. Issue Description: The findings share a common outcome i.e. being able to open File Explorer when configuring a Multi-App Kiosk mode using the Scalefusion MDM Agent only enrollment.

2. Root Cause: When using Multi-App Kiosk mode, blocking File explorer results in unwanted user experience which causes blocking certain allowed apps that require the File Explorer to execute. For this reason, as a design choice, File Explorer was added to the default list of allowed apps.

3. Fix: However taking cognizance of the reported issue, we have now blocked File Explorer by default.

4. Solution/Recommendation: Please update to the latest version of Scalefusion MDM Agent.

5. Availability of the Fix:

   1. Release on December 1, 2023.

   2. Scalefusion MDM Agent version: 10.5.6 / 10.5.7

6. Impact of the Fix: In your deployments, if you have allowed applications which require File Explorer, then please add this as an allowed app in the Device profile.

Ability to open non-allowed Websites

1. Issue Description: Researcher was able to open websites that are not allowed.

2. Root Cause: The feature of allow/block websites is provided by Modern management. Since the device was enrolled only via Scalefusion MDM Agent and modern management was not enabled, the researcher was able to browse not allowed websites.

3. Fix: There were no fixes done from our side as this was a misconfiguration issue.

4. Solution/Recommendation: Scalefusion offers ADMX configurations for Google Chrome and Microsoft Edge that allows IT Admins to set browsing policies. This requires the device to be managed via modern management, and this can be achieved either during enrollment via Browser/Autopilot or via Agent driven enrollment.

Please refer to our enrollment documents and how to configure Browser policies to harden your device profile and policies.

Summary and recommendations

Below are our recommendations on the findings:

1. CVE-2023-51751, CVE-2023-51748, and CVE-2023-50159: These issues were fixed in the Scalefusion Windows agent version 10.5.7 by preventing the launching of the file explorer in Agent-based Multi-App and Single App Kiosk mode.

2. CVE-2023-51750 and CVE-2023-51749: These were not found vulnerable if the default Windows device profile configuration is used which utilizes modern management with website allow-listing rules.

Hence, users are requested to use an up-to-date version of the Scalefusion MDM Agent application from the Enterprise store.

If you have any follow up questions or need further clarification, please feel free to reach out to support@scalefusion.com and we will be happy to assist.