‘Vast majority’ of users have updated systems thanks to vendor warnings.
Vulnerabilities in FileWave’s mobile device management (MDM) platform could enable attackers to seize control of vulnerable instances and all their managed devices, security researchers warn.
FileWave MDM allows IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.
A pair of critical authentication bypasses in the software uncovered by industrial cybersecurity firm Claroty mean hostile actors could gain the highest administrative privileges and access “users’ personal home networks, organizations’ internal networks, and much more”, according to a blog post published yesterday (July 25) by Claroty vulnerability researcher Noam Moshe.
Attackers could “exfiltrate all sensitive data being held by [compromised] devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices”, he added. Claroty’s proof-of-concept exploit involved the installation of faux ransomware.
Users have been urged to apply the most recent software update.
Researchers from Claroty’s Team82 said they discovered more than 1,100 vulnerable FileWave MDM instances operated by organizations of various sizes, including for instance government agencies and educational institutions.
However, the “vast majority” of systems have been “verified as up to date”. Team82 commended FileWave for “swiftly patching these vulnerabilities” and for notifying users.
Hardcoded shared secret
Researchers first uncovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second bypass (CVE-2022-34907) that Moshe likened to a recent vulnerability in F5’s BIG-IP networking software that potentially exposed thousands of users to remote takeover.
The first bypass pertained to a hardcoded shared secret – SCHEDULER_SECRET – used by the task scheduler service to authenticate to the web server.
Each route requiring valid authentication must inherit the FWAuthMixin class (or any class that itself inherits this class), noted Moshe.
“This check is performed inside the test_func function, where if this function returns True the request will be fulfilled, and if this function returns False, a 401 Unauthorized will be returned,” he said.
The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted super_user permissions.
“This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” explained Moshe.
This vulnerability only worked up to FileWave version 13.1.3, when the logic inside FWAuthMixin was changed so that, instead of comparing the authorization header to the scheduler secret, it only accepted valid users’ tokens.
But Team82 also discovered the addition of a middleware – AppTokenMiddleware – that did compare the authorization header to the scheduler secret. However, they would have to bypass a new check comparing request.get_host() to localhost in order to again obtain super_user privileges.
Fortunately, documentation from Django, which was used to code the web server in Python, showed this was achievable by setting the HTTP_HOST header as localhost.
No exploitation to date
FileWave addressed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users against both bypasses.
The vendor said it notified affected users of the vulnerabilities and availability of patched versions on April 26.
In a press release published today (July 26) it also said: “The implementation of the patched software versions should have eliminated the risk of the vulnerabilities to be exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has become known to FileWave to date. Nevertheless, we recommend users of FileWave Services to double-check that the security update is properly installed and up to date to avoid the risk of third-party attacks going forward.”
Noam Moshe told The Daily Swig: “With the large number of XIoT [extended IoT] devices in use today, it’s very common for any type of organisation to use an MDM solution so the IT administrators can manage everything effectively.
“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many people realise,” he added. “By sharing our knowledge, we hope to raise awareness around these types of vulnerabilities so they can be eliminated before they are exploited worldwide.”
Snapchat enables parents to keep an eye on who their kids are messaging on the platform
Former Super Eagles assistant coach takes over as manager of Danish team Jammerbugt
Alex Iwobi: “We were unfortunate” Everton can compete against any team
The DG exhorts NYSC members to accept postings in good faith
Students urge the FG once more to abide by the demands of ASUU
IG orders a comprehensive review of the Intelligence Units and expresses displeasure with police brutality and extortion
Buhari celebrates Ngige as he turns 70
Troops strike the Boko Haram commander and 27 others in Borno
Director of “Blood Sisters” Biyi Bandele passes away at 54
Davido posts a screenshot of himself and Chioma on a video conversation with the caption, “My gist partner.”
Dame Olivia Newton-John, a star of Grease, passes away at age 73
The Comanche warrior paint’s significance is explained by Prey star Amber Midthunder
Hold Me Closer, a collaboration song between Britney Spears and Sir Elton John, making the singer’s first single to be released since 2016
Your daily horoscope for Tuesday, August 9, 2022
BBNaija S7: Phyna, Bryann, Groovy, Ilebaye, and Khalid are up for eviction
“I’m sorry for all the embarrassment I’ve caused my wife, my kids, my mother and all our families,” – Two Face Idibia
How and when to view the best meteor shower of the year, the Perseids meteor shower, in 2022
Apple allegedly instructs suppliers to avoid labeling shipments to China with “Made in Taiwan”
Super Eagles hero celebrates Premier League accomplishment as “Dream Turns Reality”
Frenkie de Jong makes Chelsea transfer decision in phone call with Todd Boehly
Police re-arrest 25 other suspects and the escapee from Jos prison
Lagos policeman shoot and murder an ex-convict while battling with armed criminals
Cleaner received an eight-month sentence for stealing a laptop bag
Dariye and Nyame recover their freedom, 4 months after Buhari’s pardon
BREAKING: WAEC announces the 2022 WASSCE results
“Buga” is a victory song for Nigerian medalists
Kizz Daniel dazzles in a sold-out performance in Uganda
After four years of marriage, Gideon Okeke’s wife is getting a divorce
BBNaija S7: Beauty’s brother burns critics over disqualification: “Calm down, her script was wonderful.”
Your daily horoscope for Monday, August 8, 2022
#BBNaija: Christy O, Cyph evicted
Deadly Barcelona Thrashed PUMAS to win trophy, Lewandoski gets debut goal
Reactions to Manchester City’s opening-game 2-0 victory over West Ham: “Erling Haaland is scary.”
BBNaija S7: Beauty eliminated from reality TV show
Erik Ten Hag Chops First Breakfast as Man Utd Manager as Brighton Wins 2-1
Man Utd must let Ronaldo leave – Wayne Rooney
Australia Scholarship: Apply for Griffith University degree scholarship, 2022
Edo Govt To Recruit 1000 New Teachers, Train 650 Others
Ebonyi Govt Laments Destruction Of Airport Fence
Transfer: Real Madrid star, Isco to Sevilla as free agent
[STORY] THE WITCH’S DAUGHTER (Complete Episodes)
[STORY] MONEY OVER LOVE (Complete Episodes)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Complete Episodes)
[STORY] THE WITCH’S DAUGHTER (Episode 07)
[STORY] SADE’S HEART TALE (Episode 19)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 01)
[STORY] MONEY OVER LOVE (Episode 01)
[STORY] THE WITCH’S DAUGHTER (Episode 03)
[STORY] MONEY OVER LOVE (Episode 09)
[STORY] THE WITCH’S DAUGHTER (Episode 01)
Revealed: Why Watford goalkeeper Maduka Okoye was not included in the team on Monday
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Final Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 05)
[STORY] THE WITCH’S DAUGHTER (Episode 04)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 02)
[STORY] THE WITCH’S DAUGHTER (Episode 06)
[STORY] WHAT MY ELDER BROTHER’S WIFE TAUGHT ME (Episode 03)
[STORY] MONEY OVER LOVE (Episode 04)
[STORY] THE WITCH’S DAUGHTER (Episode 02)
[STORY] MONEY OVER LOVE (Episode 05)
[STORY] MONEY OVER LOVE (Episode 12)
[STORY] MONEY OVER LOVE (Episode 03)
[STORY] THE WITCH’S DAUGHTER (Final Episode 09)
[STORY] MONEY OVER LOVE (Episode 08)
[STORY] MONEY OVER LOVE (Episode 02)
Epic movie “Anikulapo” by Kunle Afolayan is scheduled to premiere in September
[STORY] MONEY OVER LOVE (Episode 06)
BBNaija S7: Amaka and Phyna bemoan the lack of condoms in the home
[STORY] THE WITCH’S DAUGHTER (Episode 08)
[STORY] MONEY OVER LOVE (Episode 11)
Nkem Owoh Breaks Silence On Claims He Rejected N10 Million To Endorse Bola Tinubu For President
[STORY] MONEY OVER LOVE (Episode 14)
[STORY] MONEY OVER LOVE (Final Episode 20)
[STORY] MONEY OVER LOVE (Episode 10)
“Nancy Isime Did Butt Enlargement Surgery” – Blessing Okoro Makes Shocking Revelation
[STORY] MONEY OVER LOVE (Episode 17)
[STORY] MONEY OVER LOVE (Episode 18)
BBNaija S7: Denrele claims that bbnaija candidates send him n*des and millions of naira in order to take part in the show
[STORY] MONEY OVER LOVE (Episode 19)
[STORY] MONEY OVER LOVE (Episode 13)
ANE's Billboard Hots
Technology1 month ago
VoIP Number: Everything You Need To Know
Music6 years ago
[Music] Ed Sheeran – Perfect
Music5 years ago
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
Music1 month ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
ANE Stories1 month ago
The Story Of My Life (Complete Episode 1 – 47)
Movie Subtitle1 month ago
DOWNLOAD Complete Money Heist Season 1 Subtitles File [English SRT] 2017
Music1 month ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
Music3 years ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you