NinjaOne January Hotfix and February EXEMSI Update Addressed CVE-2021-26273 and CVE-2021-26274

NinjaOne logo

At NinjaOne, we have always viewed security as a core responsibility not just to our partners, but to the greater tech community at large. We welcome and value opportunities to collaborate in security efforts, and at this time we’re able to share details of one such effort involving NinjaOne, EXEMSI, and security firm Improsec A/S

On January 25, 2021, I received details from Improsec researcher Martin Sohn Christensen regarding a discovery he made on January 13, 2021. He explained that, while working on behalf of a NinjaOne customer, he had identified a local privilege escalation vulnerability within the NinjaOne Agent installer (CVE-2021-26273). Subsequently, on January 23, he made a related finding involving insufficient configuration directory permissions for a temporary directory created during the Ninja agent installation (CVE-2021-26274). 

We immediately investigated, and once verified, began working to remediate both vulnerabilities. We quickly identified that the source of the privilege escalation vulnerability resided in the use of the third-party EXEMSI MSI Wrapper utility. With this knowledge, our team was able to develop a NinjaOne Agent hotfix for our partners (version 5.0.4.0) that would block possible exploitation of both vulnerabilities, and deployed it to all partners on January 28, 2021. 

At the same time, we also contacted EXEMSI to discuss the broader impact to their customer base, and collaborated with the team at EXEMSI to help them investigate and remediate the issue on their end. 

On February 21, EXEMSI officially released version 10.0.50, which mitigated the vulnerability for the rest of their customer base by employing:

  • restrictive permission on temporary directories used during an installation process
  • checksum validations for any/all key(s) residing in installer temp directories
  • stronger hashing algorithms and random seed values

Mr. Christensen, EXEMSI, and the Ninja team agreed to coordinate efforts and disclosures to allow for the rollout of that update and potential troubleshooting across the very large EXEMSI Wrapper user base. That agreed-upon time has now passed.  

In closing, we can report that there are no known exploitations of these vulnerabilities in the wild.

We are thankful to Mr. Christensen/Improsec A/S for notifying us of his finding, and we are extremely happy with the collaboration and effort with him as well as with EXEMSI CEO Jacob Rasmussen and his team. Achieving security is a moving target and often a collaborative effort. Improvements to each of us benefits us all, collectively, and this is a great example of how we are stronger when we work together. 

In addition, after learning that Mr. Christensen had initially contacted our sales team on January 18, we have made improvements to our own internal processes and communications in order to ensure faster handoffs and redirection to our privacy team (reachable at [email protected]). We will never consider our security efforts fully finished, and will always appreciate and jump at any opportunity to improve.

To confirm, researchers can also use the security.txt standard for reporting any security findings: 

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).