Vulnerabilities in FileWave’s mobile device management (MDM) platform could enable attackers to seize control of vulnerable instances and all their managed devices, security researchers warn.
FileWave MDM allows IT administrators to manage and monitor an organization’s laptops, workstations, smartphones, tablets, and other smart devices.
A pair of critical authentication bypasses in the software uncovered by industrial cybersecurity firm Claroty mean hostile actors could gain the highest administrative privileges and access “users’ personal home networks, organizations’ internal networks, and much more”, according to a blog post published yesterday (July 25) by Claroty vulnerability researcher Noam Moshe.
Attackers could “exfiltrate all sensitive data being held by [compromised] devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices”, he added. Claroty’s proof-of-concept exploit involved the installation of faux ransomware.
Users have been urged to apply the most recent software update.
Researchers from Claroty’s Team82 said they discovered more than 1,100 vulnerable FileWave MDM instances operated by organizations of various sizes, including for instance government agencies and educational institutions.
However, the “vast majority” of systems have been “verified as up to date”. Team82 commended FileWave for “swiftly patching these vulnerabilities” and for notifying users.
Hardcoded shared secret
Researchers first uncovered a hard-coded cryptographic key vulnerability (CVE-2022-34906), before finding a second bypass (CVE-2022-34907) that Moshe likened to a recent vulnerability in F5’s BIG-IP networking software that potentially exposed thousands of users to remote takeover.
The first bypass pertained to a hardcoded shared secret – SCHEDULER_SECRET – used by the task scheduler service to authenticate to the web server.
Each route requiring valid authentication must inherit the FWAuthMixin class (or any class that itself inherits this class), noted Moshe.
“This check is performed inside the test_func function, where if this function returns True the request will be fulfilled, and if this function returns False, a 401 Unauthorized will be returned,” he said.
The function takes the authorization header from the HTTP request, compares it to the base64-decoded scheduler secret, and if they match, the request is granted super_user permissions.
“This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” explained Moshe.
Second bypass
This vulnerability only worked up to FileWave version 13.1.3, when the logic inside FWAuthMixin was changed so that, instead of comparing the authorization header to the scheduler secret, it only accepted valid users’ tokens.
But Team82 also discovered the addition of a middleware – AppTokenMiddleware – that did compare the authorization header to the scheduler secret. However, they would have to bypass a new check comparing request.get_host() to localhost in order to again obtain super_user privileges.
Fortunately, documentation from Django, which was used to code the web server in Python, showed this was achievable by setting the HTTP_HOST header as localhost.
No exploitation to date
FileWave addressed the second flaw in versions 14.6.3, 14.7.2, and 14.8, which protect users against both bypasses.
The vendor said it notified affected users of the vulnerabilities and availability of patched versions on April 26.
In a press release published today (July 26) it also said: “The implementation of the patched software versions should have eliminated the risk of the vulnerabilities to be exploited by third-party attacks. Since the identification of the vulnerabilities, no actual exploitation has become known to FileWave to date. Nevertheless, we recommend users of FileWave Services to double-check that the security update is properly installed and up to date to avoid the risk of third-party attacks going forward.”
Noam Moshe told The Daily Swig: “With the large number of XIoT [extended IoT] devices in use today, it’s very common for any type of organisation to use an MDM solution so the IT administrators can manage everything effectively.
“Authentication bypass vulnerabilities, such as CVE-2022-34907, are unfortunately more common than many people realise,” he added. “By sharing our knowledge, we hope to raise awareness around these types of vulnerabilities so they can be eliminated before they are exploited worldwide.”
Source: https://portswigger.net/daily-swig/filewave-mdm-authentication-bypass-bugs-expose-managed-devices-to-hijack-risk