On February 19, 2024, ConnectWise launched a safety advisory for its distant monitoring and administration (RMM) software program. The advisory highlighted two vulnerabilities that affect older variations of ScreenConnect and have been mitigated in model 23.9.8 and later. ConnectWise states within the advisory these vulnerabilities are rated as “Vital—Vulnerabilities that would enable the flexibility to execute distant code or straight affect confidential knowledge or vital techniques”. The 2 vulnerabilities are:
- CVE-2024-1709 (CWE-288) — Authentication Bypass Utilizing Alternate Path or Channel
- Base CVSS rating of 10, indicating “Vital”
- CVE-2024-1708 (CWE-22) — Improper Limitation of a Pathname to a Restricted Listing (“Path Traversal”)
- Base CVSS rating of 8.4, nonetheless thought-about “Excessive Precedence”
Cloud-hosted implementations of ScreenConnect, together with screenconnect.com and hostedrmm.com, have already obtained updates to handle these vulnerabilities. Self-hosted (on-premise) situations stay in danger till they’re manually upgraded, and it’s our suggestion to patch to ScreenConnect model 23.9.8 instantly. The improve is obtainable on ScreenConnect’s obtain web page.
On February 21, proof of idea (PoC) code was launched on GitHub that exploits these vulnerabilities and provides a brand new person to the compromised system. ConnectWise has additionally up to date their preliminary report to incorporate noticed, energetic exploitation within the wild of those vulnerabilities.
What it’s best to do
- Verify whether or not you could have an on-premise deployment of ScreenConnect
- If an on-premise model is current in your atmosphere and isn’t on 23.9.8 or later, proceed to improve to the latest model
- If an on-premise model is current in your atmosphere and already on 23.9.8 or later, you aren’t in danger and no additional motion is critical
- If not on-premise and are as an alternative cloud-hosted, you aren’t in danger and no additional actions are mandatory
- In case your deployment is managed by a third-party vendor, affirm with them they’ve upgraded their occasion to 23.9.8 or later
- If patching isn’t attainable, make sure that the ScreenConnect server isn’t accessible to the Web till the patch will be utilized
- As soon as patching has been accomplished, carry out an intensive assessment of the ScreenConnect set up in search of unknown accounts and irregular server exercise.
What Sophos is doing
Sophos is actively monitoring the continuing developments with these ScreenConnect vulnerabilities and their exploitation. The next detection guidelines have been beforehand applied to establish abuse of ScreenConnect and are nonetheless viable for figuring out post-exploitation exercise.
- WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1
We’re persevering with to make sure safety and detection protection as modifications occur and have launched a prevention rule (ATK/SCBypass-A) and are testing related network-based (IPS) signatures to fight the general public proof of idea and different future abuse.
For MDR (Managed Detection and Response) prospects, we’ve initiated a customer-wide menace looking marketing campaign, and our MDR analysts will promptly attain out if any exercise is noticed. Our MDR crew shall be diligently monitoring our buyer environments for suspicious conduct and responding as mandatory. We are going to present additional updates as extra info turns into obtainable.
Acknowledgements
Anthony Bradshaw, Paul Jaramillo, Jordon Olness, and Benjamin Sollman assisted within the improvement of this publish.