Connect with us
X
Categories:

Technology

FileWave MDM authentication bypass bugs expose managed devices to hijack risk

Published

on

FileWave MDM authentication bypass bugs expose managed devices to hijack risk
Share this post:

‘Vast majority’ of users have updated systems thanks to vendor warnings.

Vulnerabilities in FileWave’s mobile device management (MDM) platform could enable attackers to seize control of vulnerable instances and all their managed devices, security researchers warn.

FileWave MDM allows IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.

A pair of critical authentication bypasses in the software uncovered by industrial cybersecurity firm Claroty mean hostile actors could gain the highest administrative privileges and access “users’ personal home networks, organizations’ internal networks, and much more”, according to a blog post published yesterday (July 25) by Claroty vulnerability researcher Noam Moshe.

Attackers could “exfiltrate all sensitive data being held by [compromised] devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices”, he added. Claroty’s proof-of-concept exploit involved the installation of faux ransomware.

Users have been urged to apply the most recent software update.

Researchers from Claroty’s Team82 said they discovered more than 1,100 vulnerable FileWave MDM instances operated by organizations of various sizes, including for instance government agencies and educational institutions.

However, the “vast majority” of systems have been “verified as up to date”. Team82 commended FileWave for “swiftly patching these vulnerabilities” and for notifying users.

Hardcoded shared secret

Researchers first uncovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second bypass (CVE-2022-34907) that Moshe likened to a recent vulnerability in F5’s BIG-IP networking software that potentially exposed thousands of users to remote takeover.

The first bypass pertained to a hardcoded shared secret – SCHEDULER_SECRET – used by the task scheduler service to authenticate to the web server.

Each route requiring valid authentication must inherit the FWAuthMixin class (or any class that itself inherits this class), noted Moshe.

“This check is performed inside the test_func function, where if this function returns True the request will be fulfilled, and if this function returns False, a 401 Unauthorized will be returned,” he said.

The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted super_user permissions.

“This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” explained Moshe.

Second bypass

This vulnerability only worked up to FileWave version 13.1.3, when the logic inside FWAuthMixin was changed so that, instead of comparing the authorization header to the scheduler secret, it only accepted valid users’ tokens.

RECOMMENDED  BHUSA: Make sure your security bug bounty program doesn't lead to a data leak of its own.

But Team82 also discovered the addition of a middleware – AppTokenMiddleware – that did compare the authorization header to the scheduler secret. However, they would have to bypass a new check comparing request.get_host() to localhost in order to again obtain super_user privileges.

Fortunately, documentation from Django, which was used to code the web server in Python, showed this was achievable by setting the HTTP_HOST header as localhost.

No exploitation to date

FileWave addressed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users against both bypasses.

The vendor said it notified affected users of the vulnerabilities and availability of patched versions on April 26.

In a press release published today (July 26) it also said: “The implementation of the patched software versions should have eliminated the risk of the vulnerabilities to be exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has become known to FileWave to date. Nevertheless, we recommend users of FileWave Services to double-check that the security update is properly installed and up to date to avoid the risk of third-party attacks going forward.”

Noam Moshe told The Daily Swig: “With the large number of XIoT [extended IoT] devices in use today, it’s very common for any type of organisation to use an MDM solution so the IT administrators can manage everything effectively.

“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many people realise,” he added. “By sharing our knowledge, we hope to raise awareness around these types of vulnerabilities so they can be eliminated before they are exploited worldwide.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital
Sports23 mins ago

Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital

European stock markets falls at open
News37 mins ago

European stock markets falls at open

Tesla’s Supercharger stations considered "illegal" in Germany
Automobile2 hours ago

Tesla To Launch Its Full Self Driving Feature In Europe And China Early 2025

Manchester United star Rasmus Hojlund faces delay to injury return
Sports14 hours ago

Manchester United star Rasmus Hojlund faces delay to injury return

William Gallas blames Raheem Sterling for Chelsea ousting
Sports15 hours ago

William Gallas blames Raheem Sterling for Chelsea ousting

Apple Watch Ultra 2 gets a new black color and new straps
Technology15 hours ago

Apple Watch Ultra 2 gets a new black color and new straps

Germany to expand border measures to stem irregular migration
News19 hours ago

Germany to expand border measures to stem irregular migration

The Apple Store website breaks down just hours before the launch of iPhone 16
Technology19 hours ago

The Apple Store website breaks down just hours before the launch of iPhone 16

3,391 Civil Servants to take promotion examinations in Kaduna
News19 hours ago

3,391 Civil Servants to take promotion examinations in Kaduna

Shehu Sani denounces the DSS raid on SERAP’s office
News20 hours ago

Shehu Sani denounces the DSS raid on SERAP’s office

Noel Gallagher could sell catalogue of songs for £200m after Oasis reunion
Entertainment23 hours ago

Noel Gallagher could sell catalogue of songs for £200m after Oasis reunion

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery
Entertainment23 hours ago

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance
Entertainment23 hours ago

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance

Elon Musk pegs the first manned Starship flight to Mars for 2028 with a colony to follow in 20 years
Technology2 days ago

Elon Musk pegs the first manned Starship flight to Mars for 2028 with a colony to follow in 20 years

Amazon Fire Stick users have found a brilliant technique to control their TVs
Technology2 days ago

Amazon Fire Stick users have found a brilliant technique to control their TVs

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad
Sports2 days ago

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad

Todd Boehly and Clearlake Capital at breaking point
Sports2 days ago

Todd Boehly and Clearlake Capital at breaking point

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe
Entertainment2 days ago

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86
Entertainment2 days ago

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86

Elton John praises Donald Trump for using one of his songs
Entertainment2 days ago

Elton John praises Donald Trump for using one of his songs

Dangote refinery may dump local market
News2 days ago

Dangote refinery may dump local market

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack
News2 days ago

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack

US seeks access to ailing Binance executive
News2 days ago

US seeks access to ailing Binance executive

Real Reason why Petrol from Dangote Refinery is Colorless
News2 days ago

Real Reason why Petrol from Dangote Refinery is Colorless

GTA 6 document provides a complete analysis of all leaks
Technology3 days ago

GTA 6 document provides a complete analysis of all leaks

Tecno Pocket Go recognized for award-winning innovation in AR gaming
Technology3 days ago

Tecno Pocket Go recognized for award-winning innovation in AR gaming

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United
Sports3 days ago

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United

US Open: Jack Draper reveals what made him throw up on court
Sports3 days ago

US Open: Jack Draper reveals what made him throw up on court

Edo State Government suspends school resumption over fuel price hike
News3 days ago

Edo State Government suspends school resumption over fuel price hike

Dangote Refinery
Business3 days ago

Dangote Refinery: NUPENG Vows Protection

Toyota Corolla One Of The Best-selling Cars Of All Time And For Good Reason
Automobile3 days ago

Toyota Cuts EV Target For 2026

Nigerian nurses in the UK, US forced back home
News3 days ago

Nigerian nurses in the UK, US forced back home

FG to construct blood collection facilities in 774 LGs
News3 days ago

FG to construct blood collection facilities in 774 LGs

Certain traits and contentious behaviors James Bond can’t have anymore in 2024
Entertainment3 days ago

Certain traits and contentious behaviors James Bond can’t have anymore in 2024

Nancy Isime revealed her initial fear of fame
Entertainment3 days ago

Nancy Isime revealed her initial fear of fame

Alex Unusual: I didn't leave social media because of AY pregnancy rumors
Entertainment3 days ago

Alex Unusual: I didn’t leave social media because of AY pregnancy rumors

New Xiaomi 10000 Power Bank, 33W with built-in cable arrives
Technology4 days ago

New Xiaomi 10000 Power Bank, 33W with built-in cable arrives

Vivo Y300 Pro packs 6,500 mAh battery in a slim 7.69mm body
Technology4 days ago

Vivo Y300 Pro packs 6,500 mAh battery in a slim 7.69mm body

Liam Gallagher warns fans complaining about 'rip off' Oasis ticket prices to 'shut up'
Entertainment4 days ago

Liam Gallagher warns fans complaining about ‘rip off’ Oasis ticket prices to ‘shut up’

Dequantes Lamar popularly know as Rich Homie Quan, dies at 33
Entertainment4 days ago

Dequantes Lamar popularly know as Rich Homie Quan, dies at 33

Rema donates N105m to home church for supporting family after dad’s death
Entertainment7 days ago

Rema donates N105m to home church for supporting family after dad’s death

Pope Francis to stop ‘abomination’ tradition — Morrissey
Entertainment6 days ago

Pope Francis to stop ‘abomination’ tradition — Morrissey

Oasis fans told they can sue Ticketmaster over dynamic pricing following formal complaints
Entertainment6 days ago

Oasis fans told they can sue Ticketmaster over dynamic pricing following formal complaints

One of the best movie of 2024 dropping on Netflix in a few days
Entertainment7 days ago

One of the best movie of 2024 dropping on Netflix in a few days

Nigerian nurses in the UK, US forced back home
News3 days ago

Nigerian nurses in the UK, US forced back home

United Kingdom universities face financial crisis
News5 days ago

United Kingdom universities face financial crisis

Chelsea Logo
Sports6 days ago

Chelsea struggling to offload five more stars to meet final transfer target

Goddess of Pop, Cher in talks to headline Glastonbury’s legends slot in 2025
Entertainment6 days ago

Goddess of Pop, Cher in talks to headline Glastonbury’s legends slot in 2025

Injury breaks Doheny's hopes against Naoya Inoue
Sports7 days ago

Injury breaks Doheny’s hopes against Naoya Inoue

I regret shredding my NCE certificate — Fatima Musa
News6 days ago

I regret shredding my NCE certificate — Fatima Musa

Pope calls for an end to extremism on Asian tour
News6 days ago

Pope calls for an end to extremism on Asian tour

Anthony Martial offered ‘biggest deal in club’s history’ after Manchester United exit
Sports6 days ago

Anthony Martial offered ‘biggest deal in club’s history’ after Manchester United exit

Katy Perry lambasted for her 'grotesque' justification for collaborating with Dr Luke
Entertainment5 days ago

Katy Perry lambasted for her ‘grotesque’ justification for collaborating with Dr Luke

Volvo
Automobile4 days ago

Volvo To Become Electric-Only Brand 2030

3,590 inmates on death row in Nigeria — NCoS
News6 days ago

3,590 inmates on death row in Nigeria — NCoS

Rivers State gets new NSCDC commandant
News5 days ago

Rivers State gets new NSCDC commandant

CAC warns unregistered PoS operators as the grace period expires
News4 days ago

CAC warns unregistered PoS operators as the grace period expires

Google Pixel 9 Pro XL facing touchscreen issues
Technology6 days ago

Google Pixel 9 Pro XL facing touchscreen issues

Chelsea star Noni Madueke responds to Enzo Maresca raising concern over his training performances
Sports7 days ago

Chelsea star Noni Madueke responds to Enzo Maresca raising concern over his training performances

Manchester United star reveals classy message from Sir Alex Ferguson
Sports5 days ago

Manchester United star reveals classy message from Sir Alex Ferguson

Acer presents new Vero PD2-series projectors with up to 18% more brightness than previous generation
Technology6 days ago

Acer presents new Vero PD2-series projectors with up to 18% more brightness than previous generation

Ford
Automobile4 days ago

Ford Can Now Show Advertisements In Cars

Mercury Prize Award 2024 winner revealed in emotional outpouring
Entertainment5 days ago

Mercury Prize Award 2024 winner revealed in emotional outpouring

Succession star’s ‘sinister’ horror film terrifies Netflix viewers
Entertainment4 days ago

Succession star’s ‘sinister’ horror film terrifies Netflix viewers

Hunter Biden pleads guilty as the tax evasion trial starts
News5 days ago

Hunter Biden pleads guilty as the tax evasion trial starts

Alex Unusual: I didn't leave social media because of AY pregnancy rumors
Entertainment3 days ago

Alex Unusual: I didn’t leave social media because of AY pregnancy rumors

Roy Keane makes prediction over Casemiro’s Manchester United future
Sports5 days ago

Roy Keane makes prediction over Casemiro’s Manchester United future

The reason I left Chelsea — Conor Gallagher
Sports4 days ago

The reason I left Chelsea — Conor Gallagher

Dangote Refinery
Business3 days ago

Dangote Refinery: NUPENG Vows Protection

UNICEF claims Primary healthcare can tackle 90% of diseases
Health5 days ago

UNICEF claims Primary healthcare can tackle 90% of diseases

Six inmates studying for PhD, 1,000 pursuing university degrees – NCoS
News4 days ago

Six inmates studying for PhD, 1,000 pursuing university degrees – NCoS

Certain traits and contentious behaviors James Bond can’t have anymore in 2024
Entertainment3 days ago

Certain traits and contentious behaviors James Bond can’t have anymore in 2024

Nancy Isime revealed her initial fear of fame
Entertainment3 days ago

Nancy Isime revealed her initial fear of fame

FG to construct blood collection facilities in 774 LGs
News3 days ago

FG to construct blood collection facilities in 774 LGs

Xiaomi POCO M7 Pro 5G in new pre-launch leak
Technology5 days ago

Xiaomi POCO M7 Pro 5G in new pre-launch leak

Dequantes Lamar popularly know as Rich Homie Quan, dies at 33
Entertainment4 days ago

Dequantes Lamar popularly know as Rich Homie Quan, dies at 33

Edo State Government suspends school resumption over fuel price hike
News3 days ago

Edo State Government suspends school resumption over fuel price hike

US Open: Jack Draper reveals what made him throw up on court
Sports3 days ago

US Open: Jack Draper reveals what made him throw up on court

Vivo Y300 Pro packs 6,500 mAh battery in a slim 7.69mm body
Technology4 days ago

Vivo Y300 Pro packs 6,500 mAh battery in a slim 7.69mm body

Guinness World Records acknowledged Cristiano Ronaldo "Greatest of All Time"
Sports4 days ago

Guinness World Records acknowledged Cristiano Ronaldo “Greatest of All Time”

ANE Billboard Hots