Critical Filewave MDM Vulnerabilities Allow Attackers Full Mobile Device Control

Two vulnerabilities in FileWave’s multiplatform mobile device management (MDM) system would have allowed malicious actors to bypass authentication mechanisms, taking control of the platform and the devices linked to it.

FileWave’s MDM platform allows admins to push software updates to devices, lock them or even remotely wipe devices.

A report from Claroty’s Team82 takes a closer look at CVE-2022-34907, an authentication bypass flaw, and CVE-2022-34906, a hard-coded cryptographic key — vulnerabilities that Filewave addressed with a recent update.

According to the report, the researchers discovered more than 1,100 different instances of vulnerable Internet-facing FileWave MDM servers across multiple industries, including in large enterprises, education, and government agencies.

Buggy MDM Admin Web Server

The platform’s MDM Web server, written in Python, is a key component that allows the admin to interact with the devices and receive information from them.

“Since this service should be accessible to mobile devices at all times, it is usually exposed to the Internet, and handles both clients’ and admins’ requests,” according to the report. “Its connectivity makes it a primary target in our research on this platform.”

One of the back-end services on the server, the scheduler service, which schedules and executes specific tasks required by the MDM platform, uses a hard-coded shared secret function to grant access to the “super_user” account — the platform’s most privileged user.

“If we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password,” the report says.

Also, by exploiting the authentication-bypass vulnerability, the team was able to achieve super_user access and take full control over any Internet-connected MDM instance.

In a proof-of-concept exploit, the team was able to push a malicious package to all the devices in the system and then execute remote code to install fake ransomware across all of them.

“This exploit, if used maliciously, could allow remote attackers to easily attack and infect all Internet-accessible instances managed by the FileWave MDM, … allowing attackers to control…