Critical MDM file vulnerabilities allow attackers to take full control of the mobile device

Two vulnerabilities in FileWave’s Mobile Device Management (MDM) system could have allowed malicious actors to bypass authentication mechanisms, and take control of the platform and associated devices.

FileWave’s MDM platform allows administrators to push software updates to devices, lock them, or even remotely wipe devices.

A report from Claroty’s Team82 took a closer look at CVE-2022-34907, an authentication bypass bug, and CVE-2022-34906, an encrypted cipher key – vulnerabilities that Filewave addressed with the latest update.

According to the report, researchers have discovered more than 1,100 different cases of vulnerable FileWave MDM servers facing the Internet across many industries, including those in large organizations, education and government agencies.

Buggy MDM Admin Web Server

The platform’s MDM web server, written in Python, is a key component that allows an administrator to interact with devices and receive information from them.

According to the report, “Because this service has to be accessible to mobile devices at all times, it is usually exposed to the Internet, handling customer and administrator requests.” “His connectivity makes him a primary target in our research on this platform.”

One of the back-end services on the server, the scheduling service, that schedules and performs specific tasks required by the MDM platform, uses an encrypted shared secret function to grant access to the “superuser” account – the platform’s most privileged user.

“If we know the shared secret and provide it in the request, we do not need to provide a valid user code or know their username and password,” the report says.

Also, by exploiting the authentication bypass vulnerability, the team was able to gain access to the superuser and take full control of any MDM instance connected to the Internet.

In a proof-of-concept exploit, the team was able to push a malicious package into all devices in the system and then remotely execute code to install the fake ransomware across all of them.

“This exploit, if used maliciously, could allow remote attackers to attack and infect all online-accessible instances managed by FileWave MDM, … allowing attackers to gain control of all managed devices, and gain access to users and organizations’ personal home networks. .Intranets and much more” Monday report.

Users must put spots Researchers warn as soon as possible to avoid becoming a victim of an attack.

Escalating attacks on endpoints

There has been a rise in attacks against endpoint management products in recent years, including one of the most well-known Targeting Kaseya VSA.

In this attack, automation allowed the REvil ransomware gang to go from exploiting vulnerable servers to Install ransomware On downstream agents react faster than most defenders.

While cell phone attacks have been happening for years, the threat is rapidly evolving to Sophisticated Malware Families With new features, attackers spread malware with full remote access, modular design and worm-like features that pose significant threats to users and their organizations.

Meanwhile, a survey was published earlier this month by the Adaptiva and Ponemon Institute open The average enterprise now manages approximately 135,000 endpoint devices – a rapidly spreading attack surface.

Zero Trust supports endpoint protection

Organizations can Improved endpoint management By implementing no-trust policies for greater control, and using Bring Your Own Device (BYOD) security and MDM tools. But they must also take proactive steps such as keeping apps up to date and training employees to keep sensitive company data and employee devices safe.

In addition, Claruti notes that Create temporary keys that are not stored in central repositories and this timeout can automatically improve endpoint and MDM security, even for small businesses.