FileWave MDM Authentication Bypass Bugs Put Managed Devices at Risk of Hacking

The ‘vast majority’ of users have updated their systems thanks to vendor warnings

Vulnerabilities in FileWave’s mobile device management (MDM) platform could allow attackers to take control of vulnerable instances and all of their managed devices, security researchers warn.

FileWave MDM enables IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.

A pair of critical authentication bypasses in software uncovered by industrial cybersecurity firm Claroty means hostile actors could gain the highest administrative privileges and gain access to “users’ personal home networks, organizations’ internal networks and more.” again,” according to a blog post published yesterday. (July 25) by Noam Moshe, vulnerability researcher at Claroty.

RECOMMENDED Cloud fax company says medical professionals are ditching email for ‘more secure’ faxing

Attackers could “exfiltrate all sensitive data held by [compromised] devices, including usernames, email addresses, IP addresses, geolocation, etc., and install malware on managed devices,” he added. Claroty’s proof-of-concept exploit involved installing fake ransomware.

Users were advised to apply the most recent software update.

Claroty’s Team82 researchers said they discovered more than 1,100 vulnerable FileWave MDM instances exploited by organizations of various sizes, including for example government agencies and educational institutions.

However, the “vast majority” of systems have been “verified as up-to-date”. Team82 praised FileWave for “quickly patching these vulnerabilities” and warning users.

Hardcoded shared secret

Researchers first discovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second workaround (CVE-2022-34907) which Moshe likened to a recent vulnerability in BIG networking software -IP of F5 which potentially exposed thousands of users to remote takeover.

The first workaround involved a hard-coded shared secret — used by the Task Scheduler service to authenticate to the web server.

Every route that requires valid authentication must inherit from the class (or any class that itself inherits from that class), Moshe noted.

“That check is done inside the function, where if that function returns, the request will be satisfied, and if that function returns, a 401 Unauthorized will be returned,” he said.

Learn about the latest cybersecurity research news and analysis

The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted permissions.

“This means that if we know the shared secret and provide it in the request, we don’t need to provide a valid user token or know the user’s username and password,” Moshe explained.

Second derivation

This vulnerability only worked until FileWave version 13.1.3, when the logic inside was changed so that instead of comparing the authorization header to the scheduler secret, it only accepted valid user tokens.

But Team82 also discovered adding middleware — — that compared the authorization header to the scheduler secret. However, they would have to bypass a new check against localhost in order to gain privileges again.

Fortunately, the documentation for Django, which was used to code the web server in Python, showed that this was achievable by setting the header as localhost.

No operation to date

FileWave fixed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users from both bypasses.

The vendor said it notified affected users of the vulnerabilities and the availability of patched versions on April 26.

In a press release issued today (July 26), he also said: “The implementation of the patched software releases should have eliminated the risk of the vulnerabilities being exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has been known from FileWave to date. Nevertheless, we recommend FileWave Services users to double-check that the security update is properly installed and up-to-date to avoid the risk of third-party attacks in the future.

Noam Moshe said The daily sip: “With the large number of XIoT [extended IoT] devices used today, it is very common for any type of organization to use an MDM solution so that IT administrators can manage everything efficiently.

“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many realize,” he added. “By sharing our knowledge, we hope to raise awareness of these types of vulnerabilities so that they can be eliminated before they are exploited around the world.”

YOU MIGHT ALSO LIKE Adversarial Attacks Can Cause DNS Amplification, Fool Network Defense Systems, Uncover Machine Learning Studies

Source link