At NinjaOne, we have always viewed security as a core responsibility not just to our partners, but to the greater tech community at large. We welcome and value opportunities to collaborate in security efforts, and at this time we’re able to share details of one such effort involving NinjaOne, EXEMSI, and security firm Improsec A/S.
On January 25, 2021, I received details from Improsec researcher Martin Sohn Christensen regarding a discovery he made on January 13, 2021. He explained that, while working on behalf of a NinjaOne customer, he had identified a local privilege escalation vulnerability within the NinjaOne Agent installer (CVE-2021-26273). Subsequently, on January 23, he made a related finding involving insufficient configuration directory permissions for a temporary directory created during the Ninja agent installation (CVE-2021-26274).
We immediately investigated, and once verified, began working to remediate both vulnerabilities. We quickly identified that the source of the privilege escalation vulnerability resided in the use of the third-party EXEMSI MSI Wrapper utility. With this knowledge, our team was able to develop a NinjaOne Agent hotfix for our partners (version 220.127.116.11) that would block possible exploitation of both vulnerabilities, and deployed it to all partners on January 28, 2021.
At the same time, we also contacted EXEMSI to discuss the broader impact to their customer base, and collaborated with the team at EXEMSI to help them investigate and remediate the issue on their end.
On February 21, EXEMSI officially released version 10.0.50, which mitigated the vulnerability for the rest of their customer base by employing:
- restrictive permission on temporary directories used during an installation process
- checksum validations for any/all key(s) residing in installer temp directories
- stronger hashing algorithms and random seed values
Mr. Christensen, EXEMSI, and the Ninja team agreed to coordinate efforts and disclosures to allow for the rollout of that update and potential troubleshooting across the very large EXEMSI Wrapper user base. That agreed-upon time has now passed.
In closing, we can report that there are no known exploitations of these vulnerabilities in the wild.
We are thankful to Mr. Christensen/Improsec A/S for notifying us of his finding, and we are extremely happy with the collaboration and effort with him as well as with EXEMSI CEO Jacob Rasmussen and his team. Achieving security is a moving target and often a collaborative effort. Improvements to each of us benefits us all, collectively, and this is a great example of how we are stronger when we work together.
In addition, after learning that Mr. Christensen had initially contacted our sales team on January 18, we have made improvements to our own internal processes and communications in order to ensure faster handoffs and redirection to our privacy team (reachable at [email protected]). We will never consider our security efforts fully finished, and will always appreciate and jump at any opportunity to improve.
To confirm, researchers can also use the security.txt standard for reporting any security findings: