Date: 22/2/2024 | Prepared by: Jack Rutherford, Chief Technology Officer
This bulletin addresses a recently disclosed CRITICAL-risk vulnerability present in the remote access software, ConnectWise ScreenConnect.
This software is commonly used by Managed Service Providers (MSPs) and organisations to remotely access networks.
The disclosed vulnerability is an authentication bypass, which allows attackers to perform Remote Code Execution (RCE). Exploitation complexity is very low as no user interaction is required, and a Proof of Concept (POC) already exists for this vulnerability.
As such, this vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 10/10 by NIST.
Triskele Labs strongly advises that all organisations using self-hosted ScreenConnect versions 23.9.7 and prior should apply the most recent update immediately, to version 23.9.8.
This vulnerability is being tracked as CVE-2024-1709.
On 13 February 2024, two (2) vulnerabilities were disclosed to ConnectWise as part of their vulnerability disclosure channel. These included a path traversal vulnerability (CVE-2024-1708) rated 8.4/10 and an authentication bypass (CVE-2024-1709) rated 10/10.
Subsequently, on 19 February 2024, ConnectWise released a security patch and associated bulletin advising customers to update their software immediately.
On 20 February 2024, ConnectWise disclosed that the vulnerability was being exploited in the wild. ConnectWise have provided the following IP addresses as Indicators of Compromise (IOCs):
On 21 February 2024, a POC was released by watchtower via their Git repository.
On 22 February 2024, the popular exploitation framework, Metasploit, have a pull request open for the exploit, indicating that a module will be available soon.
Both the POC and the Metasploit module significantly reduce the complexity of exploitation and allow even the most novice threat actors to exploit this vulnerability.
As this vulnerability affects software which by nature, is commonly exposed to the internet, the software is popular, the exploitation complexity is low, and exploitation leads to remote access to the target’s network, the impact of this vulnerability is significant.
Exploitation of this vulnerability is likely to be used as an initial access vector leading to full compromise of internal networks. Vulnerabilities of this nature often result in widespread deployment of ransomware and widespread exfiltration of sensitive data, ultimately resulting in extortion attacks.
Triskele Labs recommends immediately updating ConnectWise ScreenConnect servers to version 23.9.8. This vulnerability affects self-hosted and on-premise solutions.
The latest version is available at the following resource:
For instructions on how to update ConnectWise ScreenConnect, please see the following resource:
ScreenConnect servers hosted in the “screenconnect.com” cloud or the “hostedrmm.com” cloud have been updated to remediate the issue and no action is required.
If updating ScreenConnect immediately is not an option, Triskele Labs strongly recommends completely blocking ScreenConnect services inbound to the network, by disabling ScreenConnect services and blocking ScreenConnect services at the firewall.
Please note that updating the ScreenConnect software will not remove persistence that Threat Actors may have out in place if they have already compromised the software. Triskele Labs recommends performing Threat Hunting to look for IOCs and evidence of persistence for complete confidence that the vulnerability has not already been exploited.
Triskele Labs DefenceShield customers with our Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related IOCs and Tactics, Techniques and Procedures (TTPs).
References used for the generation of this release: