Full Report
Apps built with Mendix Runtime >= V9.3 could allow users with the capability to manage a role to elevate the access rights of users with that role. Successful exploitation requires to guess the id of a target role which contains the elevated access rights. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Improper Privilege Management in Mendix Runtime
## CVE Details
- CVE ID: CVE-2024-33500
- CVSS Score: 5.9 (CVSS v3.1), 7.4 (CVSS v4.0) (Medium/High, depending on version)
- CWE: CWE-269: Improper Privilege Management
## Affected Systems
- Products: Mendix Applications using Mendix Runtime
- Versions:
- Mendix 9: All versions $\ge$ V9.3.0 and $<$ V9.24.22
- Mendix 10: All versions $<$ V10.11.0
- Mendix 10 (Specific): All versions $<$ V10.6.9 (for V10.6 branch)
- Configurations: Applications built with the vulnerable Mendix Runtime versions.
## Vulnerability Description
The vulnerability exists in applications built with Mendix Runtime versions $\ge$ V9.3. It allows a user who possesses the capability to "manage a role" to potentially elevate the access rights of users belonging to that role. Successful exploitation hinges on the attacker being able to correctly guess the ID of the target role that possesses the desired elevated access rights.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC is implied by the nature of the necessary guess.
- Complexity: Medium (requires guessing a specific role ID)
- Attack Vector: Network (implied by CVSS vector AV:N)
## Impact
- Confidentiality: High (C:H in CVSS 3.1 vector)
- Integrity: High (I:H in CVSS 3.1 vector)
- Availability: Low/None (A:N in CVSS 3.1 vector)
## Remediation
### Patches
Users must update to the following minimum versions:
- For Mendix 9: Update to **V9.24.22** or later.
- For Mendix 10 (General): Update to **V10.11.0** or later.
- For Mendix 10 (V10.6 branch): Update to **V10.6.9** or later.
### Workarounds
As a temporary mitigation:
* Set the runtime setting `StrictReferenceChecks` to **false**. _Warning: This mitigation reduces the security posture concerning reference checks._
## Detection
- No specific IoCs were provided in the summary.
- Detection relies on monitoring application logs for unauthorized role management attempts or configuration changes associated with privilege escalation requests against specific role IDs.
## References
- Siemens Advisory Publication Date: 2024-06-11
- Siemens Security Advisory SSA-540640: Available via cert-portal dot siemens dot com/productcert/html/ssa-540640 dot html