TECH ConnectWise Confirms ScreenConnect Flaw Under Active Exploitation

packyderms_wife

packyderms_wife

Neither here nor there.

Loading…

www.securityweek.com

ConnectWise Confirms ScreenConnect Flaw Under Active Exploitation​

Security experts describe exploitation of the CVSS 10/10 flaw as “trivial and embarrassingly easy.”

By
Ryan Naraine
February 21, 2024
https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/#

Less than 24 hours after shipping emergency patches for critical security defects in its ScreenConnect remote desktop access product, ConnectWise says hackers are already launching exploits to take over enterprise accounts.

“We received updates of compromised accounts that our incident response team have been able to investigate and confirm,” ConnectWise said in an updated advisory issued Wednesday.

The acknowledgement of in-the-wild exploitation comes as several security companies published proof-of-concept code to amplify the urgency for businesses to upgrade on-prem installations to ConnectWise ScreenConnect 23.9.8.

“The ‘exploit’ is trivial and embarrassingly easy,” according to technical documentation released by Huntress, a company in the managed security services business.

“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server,” Huntress warned.

Vulnerability management firm Rapid7 followed up with the addition of an unauthenticated RCE exploit module in the Metasploit pen-test tool and confirmed that remote code execution is achieved by leveraging the vulnerability to create a new admin account, and then using these creds to upload an extension (i.e. a plugin) that hosts a payload.

ConnectWise, a company that has seen its software featured in CISA’s Known Exploited Vulnerabilities (KEV) catalog, also published three IP addresses used by malicious actors to compromise ScreenConnect accounts and urged customers to hunt for signs of infections.

The company first flagged with an urgent advisory on Tuesday that cryptically described an “authentication bypass using an alternate path or channel” that carries the maximum CVSS severity score of 10/10.

A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.

Because of the severity and risk of exploitation, ConnectWise is urging enterprise admins to install the patches “as emergency changes” within days.

ConnectWise documented the issue in an advisory marked as “critical” because it addresses vulnerabilities “that could allow the ability to execute remote code or directly impact confidential data or critical systems.”

Affected versions include ScreenConnect 23.9.7 and prior versions and the company said it is most relevant on on-prem or self-hosted customers.
 
soccerdad3

soccerdad3

Contributing Member
www.csoonline.com

Critical ConnectWise ScreenConnect flaw exploited in the wild

The vulnerability could allow attackers to bypass authentication or create a new admin account.
www.csoonline.com www.csoonline.com

Critical ConnectWise ScreenConnect flaw exploited in the wild
News Analysis
Feb 21, 20244 mins
AuthenticationCyberattacksVulnerabilities

The vulnerability could allow attackers to bypass authentication or create a new admin account.

Exploiting vulnerability
Credit: Shutterstock

A critical vulnerability patched this week in the ConnectWise ScreenConnect remote desktop software is already being exploited in the wild. Researchers warn that it’s trivial to exploit the flaw, which allows attackers to bypass authentication and gain remote code execution on systems, and proof-of-concept exploits already exist.

ScreenConnect is a popular remote support tool with both on-premises and in-cloud deployments. According to ConnectWise’s advisory released Monday, the cloud deployments hosted at screenconnect.com or hostedrmm.com have automatically been patched, but customers need to urgently upgrade their on-premises deployments to version 23.9.8.

Data from internet scanning service Censys showed over 8,000 vulnerable ScreenConnect servers when the vulnerability was disclosed. However, the impact of a successful exploit could extend past the server itself since a single ScreenConnect server could provide attackers with access to hundreds or thousands of endpoints — even across multiple organizations if the server is run by a managed service provider (MSP).

Attackers have exploited vulnerabilities in remote monitoring and management (RMM) tools used by MSPs in the past to gain access to their customers’ networks, and they also abused such tools for command-and-control in other attacks. Last month, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory about a malicious campaign that involved phishing emails that led to the download of legitimate RMM software, such as ScreenConnect and AnyDesk, that attackers then used to steal money from victims’ bank accounts in a refund scam.

In its original advisory, ConnectWise said there was no evidence of the two vulnerabilities it disclosed being exploited in the wild, but one day later it updated its advisory to warn customers that: “We received updates of compromised accounts that our incident response team have been able to investigate and confirm.”
Authentication bypass in the ScreenConnect setup wizard

The ScreenConnect patch addresses two vulnerabilities that don’t yet have CVE identifiers: An authentication bypass that’s rated with the maximum score of 10 (Critical) on the CVSS severity scale and an improper limitation of a pathname to a restricted directory, also known as a path traversal flaw, that’s rated 8.4 (High).

Researchers from security firms Horizon3.ai and Huntress independently analyzed the patches and determined that the authentication bypass flaw is caused by attackers being able to access and run the initial setup wizard again on an existing deployment. One critical part of this setup wizard, which should only be run once when the software is deployed, is that it allows the customer to set the admin username and password. Therefore, by running it again, an attacker is able to reset the application’s user database and create a new administrative account with credentials they control.

The application already had code that was meant to block requests trying to access the SetupWizard.aspx page after the initial setup was complete, but the check was not strong enough and did not block all variants of the URL. “The use of string.Equals checks for exact equality, so a URL like <app_url>/SetupWizard.aspx will match,” researchers from Horizon3.ai said. “However, there are other URLs that resolve to SetupWizard.aspx that don’t match. If we simply add a forward slash to the end of the URL (<app_url>/SetupWizard.aspx/) we get access to the setup wizard, even after the application is already setup.”

This vulnerability is similar to one patched in January in Fortra GoAnywhere MFT, CVE-2024-0204, where attackers could similarly use a specially crafted request to reinitialize the original setup wizard and create their own administrative account. “The application’s Admin -> Audit page displays a list of recent login attempts along with the IP address,” the Horizon3.ai researchers said. “You can check this page for any unrecognized users or IP addresses.”
 
Knoxville's Joker

Knoxville's Joker

Has No Life - Lives on TB
Dobbin said:
It would be nice to close any "holes" to the Chinese before the invasion ships leave port.

Dobbin
Click to expand...
I doubt China will be able to pull off an invasion. Their military is in horrible shape and I have doubts their logistics capability would withstand even casual use.

Plus with the internal strife going on I could see an attempted invasion backfire majorly to the poin the Taiwanese repel China and starts a land invasion on the mainland welcomed by the locals. As it stands the CCP is looking at a full on top to bottom collapse and the establishment of autonomous provinces as the citizenry is fed up with the control.
 
Ractivist

Ractivist

Pride comes before the fall.....Pride month ended.
Knoxville's Joker said:
I doubt China will be able to pull off an invasion. Their military is in horrible shape and I have doubts their logistics capability would withstand even casual use.

Plus with the internal strife going on I could see an attempted invasion backfire majorly to the poin the Taiwanese repel China and starts a land invasion on the mainland welcomed by the locals. As it stands the CCP is looking at a full on top to bottom collapse and the establishment of autonomous provinces as the citizenry is fed up with the control.
Click to expand...
look weak, when you are strong. China will not just go away, without going hot first. They have plenty of capability, may not be enough on one level, but add them all up, and it's formidable. Plenty enough to hurt real bad.
 
Knoxville's Joker

Knoxville's Joker

Has No Life - Lives on TB
Ractivist said:
look weak, when you are strong. China will not just go away, without going hot first. They have plenty of capability, may not be enough on one level, but add them all up, and it's formidable. Plenty enough to hurt real bad.
Click to expand...
Yes, but hard to pull off if majorities of your equpment is non functional due to corruption...
 
You must log in or register to reply here.
Top