Critical Filewave MDM Vulnerabilities Allow Attackers Full Mobile Device Control

Two vulnerabilities in FileWave’s multiplatform mobile device management (MDM) system would have allowed malicious actors to bypass authentication mechanisms, taking control of the platform and the devices linked to it.

FileWave’s MDM platform allows admins to push software updates to devices, lock them or even remotely wipe devices.

A report from Claroty’s Team82 takes a closer look at CVE-2022-34907, an authentication bypass flaw, and CVE-2022-34906, a hard-coded cryptographic key — vulnerabilities that Filewave addressed with a recent update.

According to the report, the researchers discovered more than 1,100 different instances of vulnerable Internet-facing FileWave MDM servers across multiple industries, including in large enterprises, education, and government agencies.

Buggy MDM Admin Web Server

The platform’s MDM Web server, written in Python, is a key component that allows the admin to interact with the devices and receive information from them.

“Since this service should be accessible to mobile devices at all times, it is usually exposed to the Internet, and handles both clients’ and admins’ requests,” according to the report. “Its connectivity makes it a primary target in our research on this platform.”

One of the back-end services on the server, the scheduler service, which schedules and executes specific tasks required by the MDM platform, uses a hard-coded shared secret function to grant access to the “super_user” account — the platform’s most privileged user.

“If we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” the report says.

Also, by exploiting the authentication-bypass vulnerability, the team was able to achieve super_user access and take full control over any Internet-connected MDM instance.

In a proof-of-concept exploit, the team was able to push a malicious package to all the devices in the system and then execute remote code to install fake ransomware across all of them.

“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all Internet-accessible instances managed by the FileWave MDM, … allowing attackers to control all managed devices, gaining access to users’ personal home networks, organizations’ internal networks, and much more,” according to the Monday report.

Users should apply the patches as soon as possible to avoid becoming a victim of an attack, researchers warn.

Attacks on Endpoints Rise

There has been a rise in attacks against endpoint management products in recent years, including one of the more high-profile attacks targeting the Kaseya VSA.

In that attack, automation allowed a REvil ransomware gang affiliate to move from exploitation of vulnerable servers to installing ransomware on downstream customers faster than most defenders could react.

While mobile attacks have been occurring for years, the threat is rapidly evolving into sophisticated malware families with novel features, with attackers deploying malware with full remote access capabilities, modular design, and worm-like characteristics posing significant threats to users and their organizations.

Meanwhile, a survey released earlier this month by Adaptiva and and Ponemon Institute revealed the average enterprise now manages approximately 135,000 endpoint devices — a rapidly proliferating attack surface.

Zero Trust Bolsters Endpoint Protection

Organizations can improve endpoint management by implementing zero-trust policies for greater control, and using bring-your-own device (BYOD) security and MDM tools. But they must also take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees’ devices secure.

In addition, Claroty notes that creating temporary keys that are not stored in central repositories and that time out automatically could improve endpoint and MDM security, even for small businesses.