ConnectWise backup solutions open to RCE, patch ASAP!
ConnectWise has fixed a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager that could allow attackers to achieve remote code exection (RCE) or access confidential data.
The company advises users to patch as soon as possible, as the vulnerability is “either being targeted or have a higher risk of being targeted by exploits in the wild.”
A RCE flaw in two ConnectWise backup solutions
ConnectWise Recover is a backup solution for small businesses, and R1Soft Server Backup Manager is a solution popular with service providers.
The vulnerability is an authentication bypass bug that arose from improper neutralization of special elements in output used by a downstream component.
It affects:
- Recover v2.9.7 and earlier versions
- R1Soft SBMs v6.16.3 and earlier versions
“Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9),” the company noted, while R1Soft users should upgrade to v6.16.4 by following the instructions delineated here.
Risk mitigation made difficult
The vulnerability was discovered and reported by Code White security researcher Florian Hauser.
Huntress CEO Kyle Hanslovan has announced they will be publishing a write-up detailing how the vulnerability could be exploited to push ransomware onto the 4,800+ R1Soft servers exposed on the internet.
We’re still working with the ConnectWise to validate the patch and communicate to our partners asap. Will work quick to get the details out there shortly.
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022
The release of patches and the security bulletin on a Friday afternoon has been lamented by both companies and some infosec professionals, as it creates uneccessary pressure on enterprises’ blue teams.
Its why early in the week vuln disclosures are preferred. Effectively as a courtesy to the blue team in thousands of companies.
— Dodge This Security (@shotgunner101) October 28, 2022
UPDATE (October 31, 2022, 01:20 p.m. ET):
Huntress has validated the patch, says it works to stop their PoC exploit, and says that “there has been no evidence of exploitation in the wild discovered by Huntress or ConnectWise” for now.
“Our team was able to demonstrate the impact and severity of this issue by running our POC exploit to bypass authentication, upload a backdoored JDBC database driver to gain code execution, and use the REST API to trigger commands to registered agents to ultimately push the recently leaked Lockbit 3.0 ransomware to all downstream endpoints,” researchers John Hammond and Caleb Stewart explained.
“Our research identified upwards of 5,000 exposed server manager backup instances via Shodan—all of which had the potential to be exploited by threat actors, along with their registered hosts. Considering that Server Backup Manager SE is predominately used by Hosting and Managed Service Providers who specialize in outsourced IT services for many businesses, this vulnerability has the potential to impact significantly more than 5,000 SMBs.”