Security bug left over 1,000 organizations open to ransomware, device hijacking

A blue color image of a person trying to log into a protected laptop.
(Image credit: Shutterstock/JARIRIYAWAT)

Security researchers have discovered two major flaws in FileWave’s endpoint management software which could have given threat actors a way to circumvent authentication measures and completely take over the affected devices.

The flaws affected more than 1,100 internet-accessible FileWave management instances, used by large government entities, schools, small businesses, and many other firms. Besides fully taking over the instances, threat actors could have used the backdoor to launch ransomware attacks, or steal sensitive data. 

Found by security firm Claroty, the vulnerabilities are being tracked as CVE-2022-34907 and CVE-2022-34906.

Patched flaws

CVE-2022-34907 is described as an authentication bypass, not unlike the flaw recently found in F5 BIG-IP WAF. The researchers explained that the scheduler service running on the mobile device management (MDM) server authenticates to the web server using a hardcoded shared secret. But this secret doesn’t change between different MDM installations, or versions. 

"This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user's token or know the user's username and password," researcher Noam Moshe told the publication, also stating that a threat actor could use this flaw to access the target system with elevated privileges. 

These privileges would give them power over other internet-connected devices: "This enables us to control all of the servers' managed devices, exfiltrate all sensitive data being held by the devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices," Moshe added.

CVE-2022-34906, on the other hand, is a flaw discovered in the hardcoded cryptographic key. The flaw could be used to decrypt sensitive data found in FileWave, as well as send crafted requests to the devices associated with the MDM platform.

The flaws have since been patched, so if you’re affected, make sure you’re running versions 14.6.3 and 14.7.2, or 14.8 and newer.

  • Keep your internet activities to yourself with the best firewalls around

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.