Critical ConnectWise ScreenConnect vulnerabilities fixed, patch ASAP!
UPDATE (February 22, 2024, 05:40 a.m. ET):
Now designated as CVE-2024-1709 and CVE-2024-1708, the vulnerabilities are under active exploitation. Go here for up-to-date information and advice.
ConnectWise has fixed two vulnerabilities in ScreenConnect that could allow attackers to execute remote code or directly impact confidential data or critical systems.
“There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks,” the company said.
About ConnectWise ScreenConnect
ConnectWise ScreenConnect (formerly ConnectWise Control, before the latest change to the original name) is a remote desktop software solution popular with managed services providers and businesses they offer services to, as well as help desk teams.
The product is offered as cloud-hosted software-as-a-service or can be deployed by organizations as a self-hosted server application (either in the cloud or on-premises). When users require remote assistance, they are instructed to join a session by visiting an URL and downloading client software.
ConnectWise ScreenConnect is also popular tech support scammers and other cyber criminals, including ransomware gangs.
In late 2022, ConnectWise disabled the customization feature for trial accounts for the cloud-hosted service, to prevent scammers from creating branded support portals and trick employees into joining a malicious remote access session.
About the vulnerabilities
The two vulnerabilities – currently without a CVE number – affect ScreenConnect 23.9.7 and prior and are categorized as:
- Authentication bypass using an alternate path or channel
- Improper limitation of a pathname to a restricted directory (“path traversal”)
They were reported on February 13, 2024 through the company’s vulnerability disclosure channel.
Even though there is currently no evidence that these vulnerabilities have been exploited, ConnectWise says they are at a higher risk of being targeted by exploits.
“Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch,” the company said.
“ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommend that partners update to ScreenConnect version 23.9.8.”
UPDATE (February 21, 2024, 04:32 a.m. ET):
ConnectWise has updated the advisory with indicators of compromise (IP addresses) linked to attacks leveraging the auth bypass vulnerability.
“We received updates of compromised accounts that our incident response team have been able to investigate and confirm,” the company says.
“These indicators can be incorporated into your cybersecurity monitoring platform. They can help you stop a cyberattack that’s in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.”
WatchTowr Labs has published a proof-of-concept exploit the vulnerability to add a new administrative user in ConnectWise ScreenConnect (as a first step in a trivial RCE chain).
Huntress researchers have created a proof-of-concept exploit (but haven’t published it yet), and have “identified a way to temporarily hot-fix vulnerable systems while administrators work to patch their systems.”