Connect with us
ANE Scholarship
Categories:
X

Technology

FileWave MDM authentication bypass bugs expose managed devices to hijack risk

Published

on

FileWave MDM authentication bypass bugs expose managed devices to hijack risk
Share this post:

‘Vast majority’ of users have updated systems thanks to vendor warnings.

Vulnerabilities in FileWave’s mobile device management (MDM) platform could enable attackers to seize control of vulnerable instances and all their managed devices, security researchers warn.

FileWave MDM allows IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.

A pair of critical authentication bypasses in the software uncovered by industrial cybersecurity firm Claroty mean hostile actors could gain the highest administrative privileges and access “users’ personal home networks, organizations’ internal networks, and much more”, according to a blog post published yesterday (July 25) by Claroty vulnerability researcher Noam Moshe.

Attackers could “exfiltrate all sensitive data being held by [compromised] devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices”, he added. Claroty’s proof-of-concept exploit involved the installation of faux ransomware.

Users have been urged to apply the most recent software update.

Researchers from Claroty’s Team82 said they discovered more than 1,100 vulnerable FileWave MDM instances operated by organizations of various sizes, including for instance government agencies and educational institutions.

However, the “vast majority” of systems have been “verified as up to date”. Team82 commended FileWave for “swiftly patching these vulnerabilities” and for notifying users.

Hardcoded shared secret

Researchers first uncovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second bypass (CVE-2022-34907) that Moshe likened to a recent vulnerability in F5’s BIG-IP networking software that potentially exposed thousands of users to remote takeover.

The first bypass pertained to a hardcoded shared secret – SCHEDULER_SECRET – used by the task scheduler service to authenticate to the web server.

Each route requiring valid authentication must inherit the FWAuthMixin class (or any class that itself inherits this class), noted Moshe.

“This check is performed inside the test_func function, where if this function returns True the request will be fulfilled, and if this function returns False, a 401 Unauthorized will be returned,” he said.

The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted super_user permissions.

“This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” explained Moshe.

Second bypass

This vulnerability only worked up to FileWave version 13.1.3, when the logic inside FWAuthMixin was changed so that, instead of comparing the authorization header to the scheduler secret, it only accepted valid users’ tokens.

But Team82 also discovered the addition of a middleware – AppTokenMiddleware – that did compare the authorization header to the scheduler secret. However, they would have to bypass a new check comparing request.get_host() to localhost in order to again obtain super_user privileges.

Fortunately, documentation from Django, which was used to code the web server in Python, showed this was achievable by setting the HTTP_HOST header as localhost.

No exploitation to date

FileWave addressed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users against both bypasses.

The vendor said it notified affected users of the vulnerabilities and availability of patched versions on April 26.

In a press release published today (July 26) it also said: “The implementation of the patched software versions should have eliminated the risk of the vulnerabilities to be exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has become known to FileWave to date. Nevertheless, we recommend users of FileWave Services to double-check that the security update is properly installed and up to date to avoid the risk of third-party attacks going forward.”

Noam Moshe told The Daily Swig: “With the large number of XIoT [extended IoT] devices in use today, it’s very common for any type of organisation to use an MDM solution so the IT administrators can manage everything effectively.

“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many people realise,” he added. “By sharing our knowledge, we hope to raise awareness around these types of vulnerabilities so they can be eliminated before they are exploited worldwide.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Snapchat enables parents to keep an eye on who their kids are messaging on the platform
Technology4 hours ago

Snapchat enables parents to keep an eye on who their kids are messaging on the platform

Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt
Sports4 hours ago

Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt

Alex Iwobi: "We were unfortunate" Everton can compete against any team
Sports4 hours ago

Alex Iwobi: “We were unfortunate” Everton can compete against any team

The DG exhorts NYSC members to accept postings in good faith
News4 hours ago

The DG exhorts NYSC members to accept postings in good faith

Students urge the FG once more to abide by the demands of ASUU
Education5 hours ago

Students urge the FG once more to abide by the demands of ASUU

IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion
News5 hours ago

IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion

Buhari celebrates Ngige as he turns 70
News5 hours ago

Buhari celebrates Ngige as he turns 70

News10 hours ago

Troops strike the Boko Haram commander and 27 others in Borno

Director of "Blood Sisters" Biyi Bandele passes away at 54
Entertainment11 hours ago

Director of “Blood Sisters” Biyi Bandele passes away at 54

Entertainment11 hours ago

Davido posts a screenshot of himself and Chioma on a video conversation with the caption, “My gist partner.”

Dame Olivia Newton-John, a star of Grease, passes away at age 73
Entertainment11 hours ago

Dame Olivia Newton-John, a star of Grease, passes away at age 73

The Comanche warrior paint's significance is explained by Prey star Amber Midthunder
Entertainment11 hours ago

The Comanche warrior paint’s significance is explained by Prey star Amber Midthunder

Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer's first single to be released since 2016
Entertainment11 hours ago

Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer’s first single to be released since 2016

Your daily horoscope for Monday, July 25, 2022
Horoscope11 hours ago

Your daily horoscope for Tuesday, August 9, 2022

BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction
Entertainment20 hours ago

BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction

Entertainment21 hours ago

“I’m sorry for all the embarrassment I’ve caused my wife, my kids, my mother and all our families,” – Two Face Idibia

How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022
Technology21 hours ago

How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022

Technology21 hours ago

Apple allegedly instructs suppliers to avoid labeling shipments to China with “Made in Taiwan”

Sports21 hours ago

Super Eagles hero celebrates Premier League accomplishment as “Dream Turns Reality”

Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly
Sports21 hours ago

Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly

News23 hours ago

Police re-arrest 25 other suspects and the escapee from Jos prison

News23 hours ago

Lagos policeman shoot and murder an ex-convict while battling with armed criminals

News23 hours ago

Cleaner received an eight-month sentence for stealing a laptop bag

Dariye and Nyame recover their freedom, 4 months after Buhari's pardon
News23 hours ago

Dariye and Nyame recover their freedom, 4 months after Buhari’s pardon

Education23 hours ago

BREAKING: WAEC announces the 2022 WASSCE results

"Buga" is a victory song for Nigerian medalists
Entertainment1 day ago

“Buga” is a victory song for Nigerian medalists

Kizz Daniel dazzles in a sold-out performance in Uganda
Entertainment1 day ago

Kizz Daniel dazzles in a sold-out performance in Uganda

After four years of marriage, Gideon Okeke's wife is getting a divorce
Entertainment1 day ago

After four years of marriage, Gideon Okeke’s wife is getting a divorce

Beauty's brother burns critics over disqualification: "Calm down, her script was wonderful."
Entertainment1 day ago

BBNaija S7: Beauty’s brother burns critics over disqualification: “Calm down, her script was wonderful.”

Your daily horoscope for Monday, July 25, 2022
Horoscope1 day ago

Your daily horoscope for Monday, August 8, 2022

BBNaija
Entertainment2 days ago

#BBNaija: Christy O, Cyph evicted

Lewandoski Pedri Gavi Barcelona vs Pumas Joan Gamper Trophy
Sports2 days ago

Deadly Barcelona Thrashed PUMAS to win trophy, Lewandoski gets debut goal

Erling Haaland Manchester City
Sports2 days ago

Reactions to Manchester City’s opening-game 2-0 victory over West Ham: “Erling Haaland is scary.”

Beauty BBNaija
Entertainment2 days ago

BBNaija S7: Beauty eliminated from reality TV show

Erik Ten Hag Manchester United vs Brighton
Sports2 days ago

Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1

Ronaldo
Sports2 days ago

Man Utd must let Ronaldo leave – Wayne Rooney

Scholarship Graduate
Education2 days ago

Australia Scholarship: Apply for Griffith University degree scholarship, 2022

Godwin Obaseki
Education2 days ago

Edo Govt To Recruit 1000 New Teachers, Train 650 Others

Airport
News2 days ago

Ebonyi Govt Laments Destruction Of Airport Fence

Isco
Sports2 days ago

Transfer: Real Madrid star, Isco to Sevilla as free agent

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Complete Episodes)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Complete Episodes)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 07)

SADE'S HEART TALE
ANE Stories7 days ago

[STORY] SADE’S HEART TALE (Episode 19)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 01)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 03)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 09)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 01)

Daniel Bachmann has won the race to start over Super Eagles goalkeeper Maduka Okoye for Watford this season
Sports5 days ago

Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 05)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 04)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 06)

WHAT MY ELDER BROTHER'S WIFE TAUGHT ME by Temi Akintade _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 04)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 02)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 05)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 12)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 03)

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Final Episode 09)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 08)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 02)

Epic movie "Anikulapo" by Kunle Afolayan is scheduled to premiere in September
Entertainment7 days ago

Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 06)

BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home
Entertainment6 days ago

BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home

THE WITCH'S DAUGHTER story _ AllNaijaEntertainment
ANE Stories5 days ago

[STORY] THE WITCH’S DAUGHTER (Episode 08)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 11)

Nkem Owoh
Entertainment5 days ago

Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 14)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Final Episode 20)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 10)

Nancy Isime
Entertainment7 days ago

“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 17)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 18)

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
Entertainment2 days ago

BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 19)

Money Over Love story _ AllNaijaEntertainment
ANE Stories7 days ago

[STORY] MONEY OVER LOVE (Episode 13)

ANE's Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.