This article is more than 1 year old
FileWave fixes bugs that left 1,000+ orgs open to ransomware, data theft
Internet-connected MDM instances, each with an 'unrestricted number' of managed devices, were vulnerable
FileWave has fixed a couple vulnerabilities in its endpoint management software that could allow a remote attacker to bypass authentication and take full control of the deployment and associated devices.
Industrial control system security firm Claroty discovered the two bugs, tracked as CVE-2022-34907 and CVE-2022-34906, and says they exposed organizations across sectors — from large corporations to schools and government agencies and even small businesses — to risks including ransomware infections, sensitive data theft, and even remote device control.
More than 1,100 internet-reachable FileWave management instances, each with an "unrestricted number" of managed devices, were vulnerable to attack, according to the security shop's Team82 researchers.
In an analysis about the flaws, researcher Noam Moshe also noted the "quick response time by FileWave" as "one of the positive outcomes" of the bug-hunting expedition. "Once we notified Filewave they quickly developed and deployed fixes to these issues and actively reached out to their customers," he wrote this week.
FileWave notified all affected users on April 26, and provided them with fixes for the flaws. The vulnerabilities affect all software versions prior to version 14.6.3, as well as 14.7.x versions prior to version 14.7.2. FileWave issued an update to address the bugs, and it's included in the patched software of versions 14.6.3, 14.7.2, as well as in the latest software release 14.8 and all future subsequent versions.
In this particular case, the scheduler service running on the mobile device management (MDM) server uses a hardcoded shared secret to authenticate to the web server, Moshe explained. However, the shared secret doesn't change between each MDM installation nor between versions.
"This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user's token or know the user's username and password," Moshe wrote, adding that an attacker could exploit this flaw to access the system with the highest-available permissions.
- Time from vulnerability disclosures to exploits is shrinking
- Culture shock: Ransomware gang sacks arts orgs' email lists
- Ransomware less popular this year, but malware up: SonicWall cyber threat report
- LockBit ransomware gang claims it ransacked Italy's tax agency
From there, a miscreant could control every managed device exposed to the internet. "This enables us to control all of the servers' managed devices, exfiltrate all sensitive data being held by the devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices," Moshe noted.
And then, for fun, the researchers remotely dropped fake ransomware on each device.
The second vuln, tracked as CVE-2022-34906, exists in the hardcoded cryptographic key. A unauthenticated user could exploit this bug to decrypt and steal sensitive information in FileWave, and also send crafted requests to the devices associated with the MDM platform. ®