We’ve released Headwind MDM 5.39.2. In this release, we fixed a vulnerability in a device registration method that allowed attackers to register unsolicited devices on self-hosted installations with default security settings, and a less critical stored XSS issue in the Files section. If you have a self-hosted installation, please update.
Unauthorized device registration
The vulnerability was in a specific device registration method. It allowed an attacker to bypass the authorization check on that endpoint and register unsolicited devices into a self-hosted Headwind MDM environment. Installations with default security settings (non-elevated) are affected. On installations with elevated security settings enabled, we couldn’t reproduce the attack, but we still recommend updating to the current version.
Stored XSS in the Files section
A lower-severity issue was also fixed: a registered user with file upload rights could place an executable script in the Files section, and this script would then execute in another user’s browser. A classic stored XSS, documented by OWASP: https://owasp.org/www-community/attacks/xss/. The impact is lower than the device registration issue because exploitation requires an authorized user with upload rights. The issue has been fixed in the same release.
Who should update
Everyone with a self-hosted Headwind MDM installation below version 5.39.2. Cloud customers are already on the patched version. No action needed.
How to update
Open the admin panel, go to Settings, Check for updates, and follow the instructions. Full instructions are at Headwind MDM update.
Questions? Reach out through our contact form and we’ll help.