Mule Enterprise Management Console Security Update
Released Oct 22, 2014
Earlier today, a potential security vulnerability in Mule Enterprise Management Console (MMC) was brought to our attention by Packet Storm, an independent cloud security firm.
Mule Enterprise Management Console (MMC) enables granular management of run time resources such as servers, clusters, flows, and end-points. With MMC, MuleSoft customers have visibility and control over SLAs, service level metrics and runtime performance. MMC also enables authenticated users to take administrative actions such as providing role-based access for additional users and controlling resources remotely.
"MuleSoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor."
The vulnerability allows an authenticated user to elevate their privileges by issuing a specially crafted request to MMC console to add a new user, with administrative privileges. It originates from the code governing the addition of new users, which misses a credentials validation check.
|The title of the blog post and reference to Mule ESB 3.5.1 are misleading in that the only product affected is MMC. The vulnerability does not otherwise affect Mule ESB 3.5.1.|
This vulnerability requires successful user authentication. MMC is typically used by administrators and in an administrative context, and not by regular users.
MMC is normally deployed in a secure network segment, accessible only to trusted users. This exploit requires that an internal user, previously granted legitimate access (“trusted user”), launch the attack.
MuleSoft has identified the source code in the MMC product that produces this vulnerability, and is developing a patch to fix the issue.
MuleSoft has identified the source code in the MMC product that produces this vulnerability, and has already created a hot fix for the issue. This hot fix can now be downloaded from the customer portal.
Customers may eliminate all non-admin users from their MMC implementation until a patch is available. Information on how to remove MMC users can be found here: