Claroty researchers discovered two vulnerabilities in the FileWave MDM product that exposed more than one thousand organizations to cyber attacks. FIleWave MDM is used by organizations to view and manage device configurations, locations, security settings, and other device data. An organization may use the MDM platform to push mandatory software and updates to devices, change device settings, lock, and, when necessary, remotely wipe devices.
The now patched vulnerabilities are an authentication bypass issue tracked as CVE-2022-34907 and a hardcoded cryptographic key tracked as CVE-2022-34906. Both issues reside in FileWave MDM before version 14.6.3 and 14.7.x, prior to 14.7.2. FileWave addressed the vulnerabilitied in version 14.7.2 earlier this month.
A remote attacker can trigger the vulnerabilities to bypass authentication and gain full control over the MDM platform and its managed devices.
The authentication bypass vulnerability can allow a remote attacker to achieve “super_user” access and take full control of the MDM install, then use it to manage any device of the target organization.
“During our research, we were able to identify a critical flaw in the authentication process of the FileWave MDM product suite, allowing us to create an exploit that bypasses authentication requirements in the platform and achieve super_user access, (the platform’s most privileged user).” reads the analysis published by Claroty. “By exploiting this authentication bypass vulnerability, we were able to take full control over any internet-connected MDM instance.”
The researchers discovered more than 1,100 organizations in multiple industries using the flawed MDM.
In order to demonstrate the CVE-2022-34907 flaw, the experts created a standard FileWave setup, and enrolled 6 devices of our own. They used the vulnerability to leak data about all of the devices managed by the instance of the MDM server.
“Lastly, using regular MDM functionality which allows IT administrators to install packages and software on managed devices, we installed malicious packages on each controlled device, popping a fake ransomware virus on each of those managed devices. Doing so, we demonstrated how a potential attacker can leverage Filewave’s capabilities in order to take control over different managed devices.” reads the post published by Claroty.
The researchers demonstrated how to exploit the flaw to install a ransomware on the devices that are managed by an instance that was compromised by the experts.
“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by the FileWave MDM, below, allowing attackers to control all managed devices, gaining access to users’ personal home networks, organizations’ internal networks, and much more,” concludes Claroty.
(SecurityAffairs – hacking, FileWave MDM)