On February 19, 2024, ConnectWise launched a safety advisory for its distant monitoring and administration (RMM) software program. The advisory highlighted two vulnerabilities that affect older variations of ScreenConnect and have been mitigated in model 23.9.8 and later. ConnectWise states within the advisory these vulnerabilities are rated as “Important—Vulnerabilities that might permit the flexibility to execute distant code or immediately affect confidential information or essential methods”. The 2 vulnerabilities are:
- CVE-2024-1709 (CWE-288) — Authentication Bypass Utilizing Alternate Path or Channel
- Base CVSS rating of 10, indicating “Important”
- CVE-2024-1708 (CWE-22) — Improper Limitation of a Pathname to a Restricted Listing (“Path Traversal”)
- Base CVSS rating of 8.4, nonetheless thought-about “Excessive Precedence”
Cloud-hosted implementations of ScreenConnect, together with screenconnect.com and hostedrmm.com, have already acquired updates to deal with these vulnerabilities. Self-hosted (on-premise) cases stay in danger till they’re manually upgraded, and it’s our advice to patch to ScreenConnect model 23.9.8 instantly. The improve is on the market on ScreenConnect’s obtain web page.
On February 21, proof of idea (PoC) code was launched on GitHub that exploits these vulnerabilities and provides a brand new person to the compromised system. ConnectWise has additionally up to date their preliminary report to incorporate noticed, energetic exploitation within the wild of those vulnerabilities.
What you need to do
- Verify whether or not you could have an on-premise deployment of ScreenConnect
- If an on-premise model is current in your surroundings and isn’t on 23.9.8 or later, proceed to improve to the latest model
- If an on-premise model is current in your surroundings and already on 23.9.8 or later, you aren’t in danger and no additional motion is important
- If not on-premise and are as an alternative cloud-hosted, you aren’t in danger and no additional actions are crucial
- In case your deployment is managed by a third-party vendor, affirm with them they’ve upgraded their occasion to 23.9.8 or later
- If patching shouldn’t be potential, make sure that the ScreenConnect server shouldn’t be accessible to the Web till the patch could be utilized
- As soon as patching has been accomplished, carry out an intensive evaluate of the ScreenConnect set up in search of unknown accounts and irregular server exercise.
What Sophos is doing
Sophos is actively monitoring the continuing developments with these ScreenConnect vulnerabilities and their exploitation. The next detection guidelines have been beforehand applied to determine abuse of ScreenConnect and are nonetheless viable for figuring out post-exploitation exercise.
- WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1
We’re persevering with to make sure safety and detection protection as modifications occur and have launched a prevention rule (ATK/SCBypass-A) and are testing related network-based (IPS) signatures to fight the general public proof of idea and different future abuse.
For MDR (Managed Detection and Response) prospects, we’ve initiated a customer-wide menace looking marketing campaign, and our MDR analysts will promptly attain out if any exercise is noticed. Our MDR workforce can be diligently monitoring our buyer environments for suspicious habits and responding as crucial. We’ll present additional updates as extra info turns into out there.
Acknowledgements
Anthony Bradshaw, Paul Jaramillo, Jordon Olness, and Benjamin Sollman assisted within the improvement of this submit.