The Filewave mobile device management suite had a pair of vulnerabilities which security researchers have shown could let attackers push malware out as a phone update, or even get access to enterprise networks.
Both are authentication bypass vulnerabilities: CVE-2022-34906 describes a hardcoded cryptographic key in the software that would give an attacker access to sensitive files; while CVE-2022-34907 would give an unauthenticated attacker access “with the highest authority possible” (superuser access).
FileWave’s capabilities stretch beyond mobile devices to include MacOS and Windows machines and Android-based devices like smart TVs.
With the bugs patched earlier this month, security outfit Claroty has gone public with an attack demonstrating how serious the bugs are.
“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by the FileWave MDM … allowing attackers to control all managed devices, gaining access to users’ personal home networks, organisations’ internal networks, and much more," Claroty wrote.
“An attacker who is able to compromise the MDM would be in a powerful position to control all managed devices, allowing the attacker to exfiltrate sensitive data such as a device’s serial number, the user’s email address and full name, address, geo-location coordinates, IP address, device PIN codes, and much more.
“Furthermore, attackers could abuse legitimate MDM capabilities to install malicious packages or executables, and even gain access to the device directly through remote control protocols.”
The researchers added they had found more than 1100 FileWave instances attached to the internet, in sectors like education, government, and large enterprises.
The worst bug, CVE-2022-34907, existed in FileWave’s Python-based task scheduler.
“The scheduler does not know the administrator’s account details, and instead uses a hardcoded shared secret in order to authenticate to the web server,” Claroty wrote.
“This shared secret does not change between each installation of FileWave MDM, nor between different versions of the system.”
This was partially fixed in versions after 13.1.3, but the replacement code offered a different path to superuser access.
FileWave’s update can be found here.
