ConnectWise ScreenConnect Authentication Bypass Vulnerability
High Level Summary of the Security Advisory
ConnectWise ScreenConnect is a remote desktop and access software solution designed specifically for IT professionals and managed service providers (MSPs) to securely connect with and manage client devices remotely. It offers features like unattended access, support for mobile devices, and integrations with other IT tools, enabling efficient IT support, heightened customer satisfaction, and enhanced security.
On February 19, 2024, ConnectWise issued a security advisory disclosing a critical authentication bypass vulnerability (CVE-2024-1709) rated 10 out of 10 on the CVSS severity scale. This type of vulnerability not only grants access to targeted desktops but also enables exploitation of a secondary path-traversal vulnerability (CWE-22) with a CVSS score of 8.4, enabling unauthorized file access. These vulnerabilities could enable attackers to gain unauthorized access to ScreenConnect servers and potentially deploy ransomware or other malicious software.
On February 20, 2024, ConnectWise updated its security advisory to confirm active exploitation of identified issues following notifications of suspicious activity. This was thoroughly investigated by the incident response team, enabling ConnectWise to identify Indicators of Compromise (IOCs). The following IP addresses were used by threat actors. ConnectWise has made these IP addresses available for the purpose of protection and defense.
IOCs:
155.133.5.15155.133.5.14118.69.65.60
Should I be concerned?
Maybe. It depends if you have a relationship with ConnectWise. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.
Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "ConnectWise” to confirm.
What to do if you or your vendors have an active relationship with ConnectWise
As per the update to the security advisory on February 21, 2024, ConnectWise released a patch (version 23.9.8) to address the identified vulnerabilities and to provide an improved customer experience. ConnectWise strongly recommends that all users upgrade to ConnectWise ScreenConnect version 23.9.8 or later immediately. This critical step is essential to safeguard systems and prevent potential exploitation of these vulnerabilities.
Subsequently, on February 22, 2024, ConnectWise expanded their security advisory to include a guidance on upgrading to the latest version through a defined “Upgrade pathway” which involves installing upgrades incrementally for users on much older versions due to changes in the product's architecture. ConnectWise has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later. ConnectWise affirms to have deployed alerts with instructions on performing the necessary actions to release the server if the user instance is found to be on an outdated version.
As per the advisory, users of the cloud-based ScreenConnect services, screenconnect.com and hostedrmm.com, can rest assured that their systems are secure, and no additional steps are needed to address the recent vulnerability as ScreenConnect servers hosted in screenconnect.com cloud or hostedrmm.com have been updated to remediate the issue.
You can reach out to ConnectWise via email at help@connectwise.com or through their Contact page. ConnectWise also recommends opening a case at ConnectWise Home with their support team.
--------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
Stay ahead of the curve with our Public Risk Notice Alerts!
Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.
Sign up today to fortify your organization's security.
The VISO TRUST team
—----------—----------—-----
