Claroty’s research arm (Team82) has uncovered and disclosed two critical vulnerabilities in FileWave’s Mobile Device Management (MDM) system.
The vulnerabilities have been found to be remotely exploitable, with threat actors having the opportunity to gain complete control over the MDM platform and its managed devices.
When examining the two individual vulnerabilities, both were found in earlier versions of the technology.
The CVE-2022-34907 is an authentication bypass flaw that exists in FileWave MDM before versions 14.6.3 and 14.7.x, prior to 14.7.2. Team82 says it is similar to the vulnerability that was recently identified in F5 BIG-IP WAF.
CVE-2022-34906 is a hard-coded cryptographic key existing in FileWave MDM prior to versions 14.6.3 and 14.7.x, prior to 14.7.2.
Research from Team82 has resulted in the discovery of thousands of vulnerable internet-facing FileWave servers in numerous industries, including government agencies, education, and large enterprises.
FIleWave MDM is a crucial technological solution that allows IT administrators to view and manage device configurations, locations, security settings, and other device data. When this is compromised, threat actors have access to the data and can have complete control.
When working through the diagnosis, Team82 identified a critical flaw in the authentication process of the FileWave MDM product suite, allowing them to create an exploit that bypasses authentication requirements in the platform and achieves super_user access, (the platform’s most privileged user).
By exploiting this authentication bypass vulnerability, they were able to take full control over any internet-connected MDM instance. More than 1,100 such instances were discovered, each containing an unrestricted number of managed devices.
The team also created a standard FileWave setup and enrolled six devices of their own. Then, using this vulnerability, they exploited the MDM web server, which allowed them to leak data about all of the devices managed by this MDM server.
FileWave has addressed the vulnerabilities in a recent update and has urged users to apply the update to prevent further harm.
Team82 says they wish to acknowledge and thank FileWave for its cooperation and coordination throughout this disclosure. They say the vulnerabilities were addressed in a prompt, complete fashion, users were notified, and the vast majority were verified as up to date.
“Team82 would like to thank Filewave for its coordination with us in working through this disclosure, and for its swift response in confirming our findings and swiftly patching these vulnerabilities.
“Filewave has addressed these issues in a recent update v14.7.2 and worked with their customers to patch or update affected systems.”