Critical Filewave MDM Vulnerabilities Give Attackers Full Control of Mobile Devices


Two vulnerabilities in FileWave’s cross-platform mobile device management (MDM) system would have allowed malicious actors to bypass authentication mechanisms, taking control of the platform and the devices linked to it.

FileWave’s MDM platform allows administrators to push software updates to devices, lock them down, or even wipe devices remotely.

A report from Claroty’s Team82 takes a closer look at CVE-2022-34907, an authentication bypass flaw, and CVE-2022-34906, a hardcoded cryptographic key – vulnerabilities that Filewave patched with a recent update.

According to the report, researchers discovered more than 1,100 different instances of vulnerable FileWave MDM servers accessible on the Internet across multiple industries, including large enterprises, education, and government agencies.

Buggy MDM Administration Web Server

The platform’s MDM web server, written in Python, is a key component that allows the administrator to interact with devices and receive information from them.

“Because this service must be accessible to mobile devices at all times, it is typically exposed to the Internet and handles both customer and administrator requests,” according to the report. “Its connectivity makes it a priority target in our research on this platform.”

One of the back-end services on the server, the scheduler service, which schedules and executes specific tasks required by the MDM platform, uses a hard-coded shared secret function to grant access to the “super_user” account. – the most privileged user of the platform. .

“If we know the shared secret and provide it in the request, we don’t need to provide a valid user token or know the user’s username and password,” the report says. .

Additionally, by exploiting the authentication bypass vulnerability, the team was able to gain superuser access and take full control of any Internet-connected MDM instance.

In a proof-of-concept exploit, the team was able to push a malicious package to every device in the system, then execute code remotely to install fake ransomware on each one.

“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by FileWave MDM, …allowing attackers to control all managed devices , access users’ personal home networks, internal network organizations, and more,” according to the Monday report.

Users must apply the patches as soon as possible to avoid falling victim to an attack, the researchers warn.

Increase in endpoint attacks

There has been an increase in attacks against endpoint management products in recent years, including one of the most publicized attacks targeting Kaseya VSA.

In this attack, automation allowed a gang affiliated with the REvil ransomware to move from exploiting vulnerable servers to installing ransomware on downstream clients faster than most defenders could react.

While mobile attacks have been happening for years, the threat is rapidly evolving into sophisticated malware families with new features, with attackers deploying malware with full remote access capabilities, modular design, and features of type worm posing significant threats to users and their organizations.

Meanwhile, a survey released earlier this month by Adaptiva and the Ponemon Institute found that the average enterprise now manages around 135,000 endpoints, an attack surface that is rapidly proliferating.

Zero Trust Strengthens Endpoint Protection

Organizations can improve endpoint management by implementing zero-trust policies for better control and by using BYOD (Bring Your Own Device) MDM and security tools. But they also need to take proactive steps like updating apps and training staff to keep sensitive company data and employee devices secure.

Additionally, Claroty notes that creating temporary keys that aren’t stored in central repositories and that expire automatically could improve endpoint and MDM security, even for small businesses.


About Author

Comments are closed.