42Gears Security and Compliance Standards

overview Certifications Regulatory Compliance STAR Registry Listing Data We Collect Required App Permissions Data Security and Security Practices Product Security Policies of 42Gears Security Advisories Security Response Center

overview

Security is a major concern of all organizations. At 42Gears, we are dedicated to ensuring security and abiding by regulatory compliance requirements.

Certifications

Certifications:

ISO/IEC 27001:2013

42Gears has been certified by the global Information Security Management System (ISMS) certification, ISO/IEC 27001. ISMS is a framework of procedures and policies that includes all technical, legal, and physical controls involved in a company’s information risk management process.

Download ISO 27001 Certificate

Benefits of ISO 27001:

Compliance with commercial, contractual, and legal responsibilities
Improving processes and strategies
Preventing fines and loss of reputation
Retaining customers and winning new businesses

Information Commissioner's Office

The Information Commissioner's Office is an independent authority to uphold information rights in the interest of the public and data privacy for individuals in the UK.
The Data Protection Regulations 2018 requires organisations who process Personal Information to register with Information Commissioner's Office

You may view 42Gears ICO registration here.

SOC 2 Type II Report

A SOC 2 Type II audit reports on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. Conducted by an independent service auditor, this audit evaluates the design, implementation, and effectiveness of the controls 42Gears has put in place for its products SureMDM, SureLock, SureFox, SureVideo, and AstroContacts.

During the audit period, tests of controls were performed on controls as they existed and were applied to those controls relating to in-scope trust services criteria. The audit covered all the controls pertaining to the confidentiality, integrity, and availability of 42Gears. The report inspires trust and confidence in the company by showing that it is committed to the security of customer data.

A copy of the 42Gears SOC 2 Type II report is available under NDA. To get yours, please send a mail to sales@42gears.com.

Cyber Essentials

Cyber Essentials is a UK Government backed and industry supported scheme which provides a clear statement of basic controls that organizations should have in place to mitigate the risk from a wide range of Cyber threats. This certification assures customers that 42Gears has an understanding of the cyber security level and work towards securing the IT against cyber attack.

You may download our current certification here.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a collection of security standards made to protect credit and debit cardholder data against theft and fraud. It is governed by the Payment Card Industry Security Standards Council (PCI SSC). PCI certification helps businesses build trustworthy and long-lasting relationships with their customers by safeguarding sensitive data and information.

PCI DSS certification is important for businesses that process credit or debit card transactions.

The PCI Standard defines the security requirements that merchants and service providers must follow to protect cardholder data. The standard requirements are a collection of people, processes, and technical requirements covering the protection of cardholder data processing, storage, transmission, and the security aspects of associated infrastructure, network, system components, applications, SIEM, vulnerability, and penetration testing.

There are 12 different requirements under the PCI DSS to secure cardholder data. The requirement description is mentioned here.

42Gears is now PCI DSS compliant.

42Gears’ UEM deployment has been validated against all the PCI DSS requirements, and this demonstrates the company’s complete compliance with the PCI DSS.

During the assessment, the PCI QSA (qualified security assessor) verified all the applicable requirements for 42Gears’ in-scope applications, such as the SureMDM web application, SureMDM Agent, SureLock, Enterprise Agent, and SureDefense mobile applications.

42Gears has implemented all 12 requirements applicable to PCI DSS and is committed to maintaining the security and confidentiality of payment card information.

A copy of the 42Gears PCI DSS AOC is available under NDA. To get yours, please send an email to sales@42gears.com.

Regulatory Compliance

General Data Protection Regulation (GDPR)

The European Union (EU) General Data Protection Regulation (GDPR), enforceable as of May 25, 2018, imposes additional requirements upon companies to enhance the protection of personal data of EU residents. 42Gears Mobility Systems has a dedicated, core-functional team overseeing 42Gears' GDPR readiness. 42Gears has policies and procedures in place to demonstrate GDPR compliance and our sub-processors. We discuss our efforts and commitment to GDPR here.

California Consumer Privacy Act (CCPA)

If You are a California resident, You are entitled to certain rights with respect to personal information that We collect about You. Learn more about these rights and how to exercise them in our California Privacy Notice.

Questions regarding our privacy may addressed at privacy@42gears.com for any of their requests.

STAR Registry Listing

The Consensus Assessments Initiative Questionnaire (CAIQ) is a series of comprehensive questions designed by Cloud Security Alliance (CSA) to provide an insight to cloud service consumers to assess the security, privacy ,and compliance processes of a cloud service provider.

42Gears team has compiled detailed responses to over 200 items in the assessment for our SureMDM Product, as per the respective domains and successfully completed Self Assessment for the cloud services.

Download the CSA STAR Self-Assessment from CSA STAR Registry for 42Gears Mobility Systems Pvt Ltd.

Data We Collect

We capture and store the following information through our products to help our customers meet their device management objectives.

SureMDM

- Device Details- SureMDM collects Android_ID, device make, model, OS and OS version, timezone, IP address, MAC address, mobile carrier information, etc. This information is collected to identify duplicate enrollments and filter out apps that are not compatible with the Enterprise Store.
- Battery Status and Data Usage- This information is collected so that IT admins can view Charging Status in the Device Info panel and Data Usage on the Dashboard. Admins can check such details and act on them if the figures go below or above defined thresholds (there is an option for IT admins to get notified if values cross set thresholds).
- Information Collected for Company Owned Mobile Devices- SureMDM stores inventory information for each of the mobile devices managed. The following information is collected for each company owned mobile device:
  1. Hardware information, including UDID, SIM serial number, IMEI, IMEI2, MAC address, model, brand, storage information, phone number, address, Bluetooth MAC address, contact name, device local IP address, location (longitude and latitude), etc.
    The main purpose of capturing location details is to ensure that IT admins can track business devices (so it is not misused and corporate data is not leaked, in case the device is lost or stolen). Details like Bluetooth MAC Address, SIM Serial Number, etc. are mainly captured for inventory management.
  2. Operating system information like version, build number, security patch date, etc. is captured so that IT admins can keep a track and push new updates, if available.
  3. Installed apps
  4. Installed configuration profiles
  5. Information can also be collected using mobile device extension attributes, which are custom fields through which almost any type of data can be collected from company owned devices.

Note: All this data is collected mainly for asset tracking and inventory management. As these details are collected via SIM cards, any attempt to tamper or swap SIM cards can be detected and IT admins can get notified immediately about any non-compliant action. For more info please refer to the 42Gears Privacy Page.

- Information Collected from Personally-Owned Mobile Devices- SureMDM stores limited details of personally owned mobile devices. The following information can be viewed for each personally-owned mobile device:
  1. Hardware information including UDID, serial number, MAC address, model, IMEI, IMSI,brand, storage information,phone number, address, Bluetooth MAC address, contact name, device local IP address, location (longitude and latitude), etc.
    The main purpose of capturing location details is to ensure that IT admins can track business devices (so it is not misused and corporate data is not leaked, in case the device is lost or stolen). Details like Bluetooth MAC Address, SIM Serial Number, etc. are mainly captured for inventory management.
  2. Operating system information like version, build number, security patch date, etc. is captured so that IT admins can keep a track and push new updates, if available.
  3. Managed apps installed by SureMDM
  4. Configuration profiles installed by SureMDM
  5. Mobile device extension attributes do not apply to personally-owned mobile devices.

This information is collected mainly for asset tracking and inventory management. As data is collected via SIM cards, any attempt to tamper or swap SIM cards can be detected and IT admins can get notified of any non-compliant action. For more info please refer to the 42Gears Privacy Page.

Data collected in MDM: https://www.42gears.com/data-collected-in-mdm/

SureLock

The following information is collected for Android devices:

Hardware information, including device model, IP address, IMEI, IMEI2, WiFi Mac, Bluetooth Mac, Android ID, Serial Number, and device OS- These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for Windows devices:

Hardware information, including device model, IP address, WiFi Mac, device OS-These details are captured for the purpose of device activation and enabling SureLock.

SureFox

The following information is collected for Android devices:

Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS- These details are captured for the purpose of device activation and enabling kiosk lockdown.

SureVideo

The following information is collected for Android devices:

Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS- These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for Windows devices:

Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS- These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for iOS devices:

Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS- This information is captured for the purpose of activation.

AstroContacts

The following information is collected:

Operating system, device model and serial number

AstroFarm

The following information is collected:

Details From Phone- Device Platform, Model Name, Device serial number, OS details, Phone details like IMEI, IMSI, ICCID, Network, Phonenumber, Manufacturer name, CPU Details, Battery Details, Browsers available on the device, Display details, Network details.
Details of a User- Name, Email address.

Upon termination or expiration of the Agreement, 42Gears shall (at Customer's option) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which 42Gears shall securely isolate, protect from any further processing and eventually delete in accordance with 42Gears deletion policies, except to the extent required by applicable law.

Required App Permissions

SureMDM

Android

Following is the list of important permissions SureMDM Nix needs in order to function properly:

Device Admin- SureMDM Nix asks for Device Admin permission to tighten security and apply security policies in the future. It is recommended to make Nix the Device Admin so that in future new security policies can be applied seamlessly. For EMM devices, Device Owner permission is mandatory.
Usage Access- This is mainly used to calculate Mobile Data consumption. It keeps a track of data consumption and helps ensure that data connectivity is not misused at any point of time. In case of App Usage, this permission helps to know which application is currently running. This allows IT admins to determine whether the app that is in use is whitelisted or not.
Ignore Battery Optimization- The main purpose of this is to keep SureMDM Nix running in the foreground so that it does not go offline even when an app is idle for a certain length of time (if SureMDM Nix goes offline, it will make the device go offline and the IT admin will not be able to perform any action).
Allow Screen Capture- The main purpose of this is to enable remote management of devices so that IT admins can keep a track of the activities being performed by users on their devices.
Configure System Permissions- This is required to provide end users with an option to modify settings like system brightness, time zone, font size, etc. based on their requirements.
Configure Unknown Sources- Once this is enabled, SureMDM Nix allows third-party apps to be installed on the device. This permission seeks to capture user consent for the same.
Display over other apps- This permission is mandatory for Android 10 devices. It is required to ensure that the notifications for messages or jobs pushed by the IT admin display on top of the app that’s already running on the device.
Runtime permissions- SureMDM needs the user’s permission to access the Camera, Call Logs, SMS Logs, Contacts, Location, Storage for some functionalities to work. The main purpose of this is to collect data for inventory management and accessing SIM card information so that the IT admin can get notified in case a device is being misused by the user (the camera can be used to take pictures of any suspicious action being performed by the user so that any security concerns can be addressed).

iOS

Notifications- To receive push notifications and inform the user that jobs/profiles have been successfully applied
VPN- For network fencing
Camera- To scan the QR code in order to enroll in a device on the SureMDM console
Location Access- For geo fencing

macOS

Location Access- For location tracking
Accessibility- To allow touch events during remote support sessions
Files and Folders- To access files during remote support
Screen recording- For remote support

SureLock

Android

Following is the list of important permissions SureLock needs in order to function properly:

Set SureLock as Default Launcher- The main purpose of this is to set SureLock as a default launcher.
Configure Runtime Permissions- Following are the different permissions needed:
1. Storage- This is required to Write or Read Settings from external storage.
2. Telephone- This is required to read the IMEI number for activation.
3. Contacts- This is required for phone settings to block or whitelist phone calls.
4. SMS- This is required for receiving SMS commands, such as change password.
5. Camera- This is required to import settings from the QR code.
6. Location- This is required for driver safety settings.
Activate Device Admin- This is needed for improve security and to apply security policies in the future. It is recommended to make SureLock the Device Admin so that in future new security policies can be applied seamlessly.
Enable Samsung KNOX- This permission is specially for Samsung devices. It is required to enable advanced lockdown features like disable power off button, volume button, etc.
Enable Usage Access- This permission is required to enable the Kiosk mode.
Configure System Permissions- The main purpose of this is to provide end users with an option to modify settings like system brightness, etc. based on their requirements.
Enable Notification Access- This permission is required to block notifications and to display badges on apps.
Enable Display Over Other Apps- This permission is required to enable the power saving settings.
Enable SureKeyboard Service- The main purpose of this is to provide flexibility to the end users to use SureKeyboard instead of the system keyboard.
Disable USB Debugging- This permission is intended to disable developer options.
Disable Automatic Update From Play Store- This setting can be used to disable updates automatically from the Play Store.

SureFox/SureFox Lite

Android

Following is the list of important permissions SureFox needs in order to function properly:

Configure Runtime Permissions- Following are the different permissions needed:
1. Storage- This is required to Write or Read Settings from external storage.
2. Telephone- This is required to read the IMEI number for activation.
3. Contacts- This is required for disabling automatic updates from the Play Store.
4. Microphone - This is required for allowing microphone access for allowed websites. SureFox will not have access to the audio allowed nor will it record/collect any audio for its own use.
5. Camera- This is required to import settings from the QR code.
6. Location- This is required for allowing location access for allowed websites.
Activate Device Admin- This is required to improve security and to apply security policies in the future. It is recommended to make SureFox the Device Admin so that in future new security policies can be applied seamlessly. This permission is mandatory for those using Samsung KNOX features.
Enable Samsung KNOX- This permission is specially required for Samsung devices for enabling advanced lockdown features like disable power off button, volume button, etc.
Enable Usage Access- This permission is required to enable the Kiosk mode.
Enable Display Over Other Apps- This permission is required to enable the power saving settings.
Configure System Permissions- The main purpose of this is to provide end users with an option to modify settings, like screensaver, based on their requirements.

iOS

Photo Library- To access pictures from Photos
Photo Library Additions- To save pictures in Photos
Camera- To scan QR codes
Location Access- To show location-wise web search data to users in the browser
Motion- To know the device orientation (landscape/portrait) and measure the speed of the device movement
Microphone- To use the microphone
Media Library- To access media files

SureVideo

Android

Following is the list of important permissions SureVideo needs in order to function properly:

Configure Runtime Permissions- Following are the different permissions needed:
1. Storage- This is required to access photos, media, and files on your device.
2. Telephone- This is required to read the IMEI number for activation.
3. Camera- This is required to import settings from the QR code.
4. Location- This is required to get the available networks in the Wi-Fi Center plugin.
Enable Usage Access- This permission is required to enable the Kiosk mode.
Enable Display Over Other Apps- This permission is required to enable the power saving settings.
Configure System Permissions- The main purpose of permission is to provide end users with an option to modify settings, like screensaver settings, based on their requirements.

AstroContacts

Following is the list of important permissions AstroContacts needs in order to function properly:

Contacts- AstroContacts requires these permissions to access the contacts to sync contacts detail from AstroContacts to the local phone book. It's only one way from AstroContacts to the phone book, the AstroContacts application installed on the device never reports any contacts to the server.
Camera- AstroContacts needs this permission to allow the user to change the profile picture and scan a QR code to enroll.
Photos- AstroContacts requires this permission to add the photo to the photo library and later use it as a profile picture.

AstroFarm

Following is the list of important permissions AstroFarm needs in order to function properly:

Normal level Permission

DISABLE_KEYGUARD: It is used for locking and Unlocking the Devices

WAKE_LOCK: It is used to open the lock

INTERNET : It is used for internet connectivity

ACCESS_NETWORK_STATE: This is used to get connection status such as connected-- disconnected or roaming

CHANGE_WIFI_STATE: This allows applications to change Wi-Fi connectivity state.

ACCESS_WIFI_STATE: This allows applications to access information about Wi-Fi networks.

DUMP: It allows an application to retrieve state dump information from system services.

BLUETOOTH: It is used to get bluetooth state

BLUETOOTH_ADMIN: It is used to get bluetooth details and state change

FOREGROUND_SERVICE From android API 28 – It is used to show notification of applications as running in background

MANAGE_ACCOUNTS : It helps to manage the profile such as to add and delete accounts

Dangerous level permissions --- Runtime Permission

READ_PHONE_STATE : It allows read only access to phone state, including the current cellular network information, the status of any ongoing calls and a list of any Phone Accounts registered on the device.

GET_ACCOUNTS : It allows access to the list of accounts in the Accounts Service. (In device ex: google, dropbox etc.)

WRITE_EXTERNAL_STORAGE : It allows an application to write to an external storage.

CamLock

Android

Configure Runtime Permissions: Camlock asks the users to grant Location permissions to the application. This permission should be set to “While Using The App” status for the application to function
successfully.

Enable Background Location: This asks the users to grant Location permissions to the application. This permission should be set to “Allow all the time” status.
CAMLOCK requires this permission to enable advanced device management feature to work such as restricting use of camera in a specified location etc.
Note: Show the user consent before showing location runtime permission pop up.

Enable Accessibility Settings: By clicking on this option, the users will be directed to, “Accessibility” section of System settings. Users should select the CamLock Application and grant the Accessibility permissions to prevent the user from revoking the CAMLOCK agent permissions.

Enable Display Over Other Apps: By clicking on this option, the users will be directed to, “Display over other apps” section of System settings. Users should select the CamLock Application and grant the Allow display over other apps permissions to the application for the application to function successfully.

Allow Modification of System Settings: By clicking on this option, the users will be directed to, “Modify system settings” section of System settings. Users should select the CamLock Application and grant the Allow display over other apps permissions to enable read and access system settings.

Disable Multi-users: By clicking on this option, the users will be directed to, “Multi-user screen” in the System settings. Users will need to remove the other users and save the configurations to grant this permission to CamLock.

Disable Secondary Space: By clicking on this option, the users will be directed to, “Secondary space” section of Explore New Features of System Settings section on the device. Users will need to remove the secondary space and save the configurations to grant this permission to CamLock.

Enable Location Service: Clicking on this option should take the user to the Location settings section of System settings. Users should select the CamLock Application and grant the Use Location permissions to the application to configure location to block camera.

Data Security and Security Practices

42Gears’ system administration team routinely performs security assessments of all live systems. We use third-party auditing tools at regular intervals to ensure that system security is not compromised. 42Gears hardens the systems using the CIS Critical Security Controls (CIS Controls) benchmarks and regularly conducts security assessments of all active systems; we use third-party auditing tools at regular intervals to ensure that system security is not compromised.

Proactive security procedures, such as intrusion-detection systems and intrusion prevention systems, Security Command Centre that allows us to monitor our systems and identify any potential security threats in real-time. Security Hub allows us to automate security checks and compliance validation and provides us with actionable insights and recommendations to enhance our security measures.

Security measures like parameter defense are implemented by AWS/GCP cloud service providers.

Extensive monitoring and logging are in place and so are processes for detecting, reporting, and responding to any incidents.

42Gears encrypts all customer data in transit and at rest using industry standards and best practices. The Advanced Encryption Standard (AES) algorithm with a key size of 256 bits is used for data at rest. TLS 1.2 protects data in transit, helping to secure network traffic.

42Gears employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.

Data Center Security

42Gears uses Amazon Web Services (AWS), Google Cloud Platform (GCP) and MongoDB Atlas for hosting the services. These data centres are equipped with many security features, such as security feeds, fencing, security guards, and intrusion detection technology.

Physical and Logical Access Control

In addition to data center security from AWS, GCP and MongoDB Atlas, 42Gears follows standard and strict procedures to secure customer data. We have a dedicated system administration team that takes care of system security. Our servers are administered over a secured network. SSH/RDP is supported by authenticated (2FA) and encrypted remote log-in access by select and authorized 42Gears staff only. Strict firewall policies and audit logs ensure very tight access control.

Server Security

42Gears’ system administration team routinely performs security assessments of all live systems. We make use of third-party auditing tools from time to time to ensure that the system security is not compromised.

Secure Client Installation on Mobile Devices

Common app marketplaces, such as Windows Store, Apple App Store, and Google Play Store have their own security processes and models to ensure secure client installation on mobile devices. 42Gears follows the rules each store has set up for publishing SureMDM agent application, Nix.

Secure Client Communication

42Gears uses Secure Sockets Layer (SSL) to secure communication between endpoints and the MDM server. The endpoints include mobile devices based on platforms such as Android, iOS and Windows. 42Gears SureMDM communicates with iOS devices using the Apple Push Notification Service (APNs). SureMDM uses a certificate to communicate to the Apple MDM services, which the admin must download from the Apple Push Certificates Portal. For Android devices, 42Gears uses Google Cloud Messaging, and for Windows devices, 42Gears uses Windows Push Notification Services (WNS).

Identity and Authentication

Device Enrollment Authentication
- 42Gears SureMDM can integrate with any OAuth endpoint for this authentication. This allows 42Gears to use identity services like ADFS, Azure AD, G Suite, Microsoft 365 for device enrollment.
Portal Login Authentication
- By default, 42Gears SureMDM offers its own indigenous user management. But it can also integrate with any SAML2-based identity service to offer seamless Single Sign-On. Azure AD, Okta and OneLogin are few such identity services.
Two-Factor Authentication
- SureMDM can protect admin accounts from password theft by enabling two-factor authentication for owners and co-account owners through Google Authenticator, email, and/or phone number. Once two-factor authentication is enabled, IT admins will be required to provide an additional form of identity proof while logging in, such as a time-sensitive one-time password (OTP).

Payment

Payment Gateways- We work with a few commercial payment gateways, such as PayPal, Stripe, Chargify and BlueSnap. Once customers select a payment gateway, they are transferred to systems that are controlled by these service providers for completing the payment. Such payment gateways render payment services as data controllers and comply with all necessary obligations required for processing data under applicable data protection laws and their respective Privacy Notices. We do not store or collect your payment card details in any manner whatsoever.
The payment processors we work with are-
- Stripe- https://stripe.com/us/privacy
- PayPal- https://www.paypal.com/en/webapps/mpp/ua/privacy-full
- Plimu- https://home.bluesnap.com/privacy-policy/

UEM Privacy and Data Protection Overview

Product Security

Application Security Certification

In order to provide secure and reliable products for our customers, we have established security and data protection as fundamental requirements of our products during their entire life cycles.

Security is a core part of our product development activity. During the development of a new product or feature, we conduct a comprehensive threat and risk analysis, and create a specific security requirement for the product/feature and its integration into a complete solution. During the design phase and before release, we ensure product security by comprehensive testing (vulnerability assessment and penetration tests) using OWASP security standards. All the security updates, patches or upgrades undergo the same rigorous tests, and are only deployed once they are proven to be secure.

Furthermore, all our products are evaluated annually by third-party vendors to ensure product security by abiding various compliance requirements.

Our applications have undergone an external pen test by CyRAACS, one of the Top 10 Cyber Security companies in India.

Notice:

Disable Support for TLS 1.0 & 1.1

42Gears has upgraded its products to support the latest TLS (Transport Layer Security) versions >=1.2, which is considered the safest and most reliable. 42Gears has stopped supporting TLS 1.0 and TLS 1.1 from December 31, 2021. The major attacks that TLS 1.0 and 1.1 are vulnerable to are POODLE and BEAST.

Disclaimer - All 42Gears products support TLS 1.2 and above. Customers who have disabled TLS 1.0 and TLS 1.1 can opt for customer-specific dedicated or on-premise SureMDM deployment if required.

Policies of 42Gears

Privacy Notice
Terms of Use
EULA
Disclaimer
Insurance: 42Gears has relevant insurance policies in place with reputable insurance providers including Commercial General Liability, Technology Errors and Omissions Liability, and Cyber Risk. Upon request and with an NDA in place, 42Gears will make available relevant insurance policies held, their scope, coverage, relevant exclusions and other applicable details.

Security Advisories

Advisory ID: 42G-2021-001

Shortened Description: Apache Log4j Vulnerability (CVE-2021-44228)

Explanation:

Severity (CVSSv3 Range): 10.0

Issue date: 12/10/2021

Updated on : 02/06/2023

CVE(s): CVE-2021-44228

The vulnerability was discovered in the Log4j library. An attacker can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. 42Gears Products makes indirect use of this library, our investigations have determined no exploitable path to the vulnerability within the 42Gears Products.

Reference :

https://community.42gears.com/t/update-for-apache-log4j-vulnerability-cve-2021-44228/2030

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Advisory ID: 42G-2022-001

Shortened Description: Apache Commons Text “Text4Shell” (CVE-2022-42889)

Explanation:

Severity (CVSSv3 Range): 9.8

Issue date: 10/13/2022

Updated on : 03/01/2023

CVE(s): CVE-2022-42889

A vulnerability known as Text4Shell (CVE-2022-42889) was recently announced in the Apache Commons Text library. 42Gears products do not use the vulnerable library and are not affected by this issue. There is no action required on the part of 42Gears customers.

Reference :

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Advisory ID: 42G-2018-001

Shortened Description: An issue was discovered in 42Gears SureMDM before 2018-11-27, related to CORS settings. Cross-origin access is possible.

Explanation:

Severity (CVSSv3 Range): 6.5

Issue date: 2019-02-05

Updated on : 2019-02-05

CVE(s): CVE-2018-15655, CVE-2018-15659

An issue was discovered in 42Gears SureMDM before 2018-11-27, related to the access policy for Silverlight applications. Cross-origin access is possible.

Reference :

https://cve.report/CVE-2018-15659

https://www.cve.org/CVERecord?id=CVE-2018-15659

https://nvd.nist.gov/vuln/detail/CVE-2018-15659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15659

https://www.cve.org/CVERecord?id=CVE-2018-15659

Advisory ID: 42G-2018-002

Shortened Description: An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email

Explanation:

Severity (CVSSv3 Range): 7.5

Issue date: 02/04/2019

Updated on : 03/23/2021

CVE(s): CVE-2018-15655

An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an "apiKey" value in the "ApiKey" header.

Reference :

https://cve.report/CVE-2018-15656/cve_org

https://cve.report/CVE-2018-15656/nist

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15656

Advisory ID: 42G-2018-003

Shortened Description: An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user

Explanation:

Severity (CVSSv3 Range): 7.5

Issue date: 02/04/2019

Updated on : 03/23/2021

CVE(s): CVE-2018-15658

An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is loaded. This results in a list of unprotected API endpoints that disclose call logs, SMS logs, and user-account data.

Reference :

https://www.cve.org/CVERecord?id=CVE-2018-15658

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15658

Advisory ID: 42G-2018-004

Shortened Description: An SSRF issue was discovered in 42Gears SureMDM before 2018-11-27 via the /api/DownloadUrlResponse.ashx "url" parameter.

Explanation:

Severity (CVSSv3 Range): 7.3

Issue date: 02/04/2019

Updated on : 03/23/2021

CVE(s): CVE-2018-15658

An SSRF issue was discovered in 42Gears SureMDM before 2018-11-27 via the /api/DownloadUrlResponse.ashx "url" parameter.

Reference :

https://www.cve.org/CVERecord?id=CVE-2018-15657

https://nvd.nist.gov/vuln/detail/CVE-2018-15657

Security Response Center

Report Incidents

In case of any suspected security incident, report it to security@42gears.com. Our security management team is committed to supporting you.

Responsible Disclosure

42Gears takes the security of its systems and data privacy very seriously. We constantly strive to make our systems safe for our customers to use. However, in the rare case that a security researcher or member of the general public discovers a security vulnerability in our systems and responsibly shares the details with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge their contributions publicly in line with the provisions mentioned herein.

Process to report an issue

E-mail your findings to security-incidents@42gears.com. Please share your contact information with your mobile number.

Do provide enough information to reproduce the problem (at least the information mentioned in the table is required), so we can resolve it as quickly as possible.

Title of the Vulnerability
Technical Severity	CVSS Score
Vulnerability Details	URL / Location of vulnerability (optional)
Description:
Attachments	screenshots, videos, exploit code, Burp requests/responses (attach it in the email)

Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
Do not disclose any vulnerabilities found on any public domain or disseminate your findings to any third party unless approved in writing by 42Gears to avoid the legal repercussions.
Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.

Acknowledgements

We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition with goodies to individuals who report valid security issues responsibly based on the T&C’s agreed then and help us make 42Gears systems more secure.