ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems.
The vulnerabilities are listed below –
- CVE-2024-1708 (CVSS score: 8.4) – Improper limitation of a pathname to a restricted directory aka “path traversal”
- CVE-2024-1709 (CVSS score: 10.0) – Authentication bypass using an alternate path or channel
The company deemed the severity of the issues as critical, citing they “could allow the ability to execute remote code or directly impact confidential data or critical systems.”
Both the vulnerabilities impact ScreenConnect versions 23.9.7 and prior, with fixes available in version 23.9.8. The flaws were reported to the company on February 13, 2024.
While there is no evidence that the shortcomings have been exploited in the wild, users who are running self-hosted or on-premise versions are recommended to update to the latest version as soon as possible.
“ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommend that partners update to ScreenConnect version 23.9.8,” the IT management software company said.
Cybersecurity firm Huntress said it found more than 8,800 servers running a vulnerable version of ScreenConnect. It has also demonstrated a proof-of-concept (PoC) exploit that it said can be “recreated with ease and required minimal technical knowledge” and used to bypass authentication on unpatched ScreenConnect servers.
ConnectWise Flaws Come Under Active Exploitation
ConnectWise has since revised its advisory to note that it has “received updates of compromised accounts,” indicating active exploitation of the flaws. It said the attacks originated from the following IP addresses –
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
The exact scale of the campaign is currently unknown, although cybersecurity company Rapid7 said observed exploitation within customer environments.
Huntress has also shared additional technical details of the two vulnerabilities, stating the exploit is “trivial and embarrassingly easy” and that they are being leveraged to deploy the Cobalt Strike adversary simulation framework for post exploitation.
The shortcomings, in particular, could be weaponized to create a rogue administrator account and take control of ScreenConnect and even access or modify files in other directories, leading to arbitrary code execution.
PoC exploits for the authentication bypass bug have also been released by watchTowr Labs and Horizon3.ai, with the latter describing the flaw as residing in the SetupWizard component that’s responsible for creating an initial user and password.
“This vulnerability allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server,” James Horseman said. “This vulnerability follows a theme of other recent vulnerabilities that allow attackers to reinitialize applications or create initial users after setup.”
ConnectWise ScreenConnect Flaws Exploited to Deliver Ransomware
On February 23, 2024, Huntress and Sophos disclosed that the maximum severity authentication bypass vulnerability has been abused to deliver ransomware payloads generated by the leaked LockBit builder, one of which goes by the name “buhtiRansom.”
The company said it also “saw a different attacker attempt to drop another payload using the certutil utility to download it from a web address, write it to the root of the C:\ drive with the filename svchost.exe, and execute it.” While the attack was ultimately unsuccessful, a subsequent analysis has revealed it to be another ransomware variant built on the LockBit builder code.
There are also signs that the flaw has come under widespread exploitation, with numerous opportunistically abusing them to deliver RATs, stealer malware, and cryptocurrency miners such as AsyncRAT, RedLine Stealer, Vidar Stealer, and Redcap.
“One threat actor abused ScreenConnect to push another remote access client to the target machine,” Sophos said. “The attacker used ScreenConnect.WindowsClient.exe to launch the SimpleHelp installer. Five hours later, on the same machine, we observed ransom notes appear on the system and files renamed with a different file extension.”
The development has also led to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2024-1709 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to secure their instances within one week by February 29, 2024.