Cyber experts alarmed by ‘trivial’ ConnectWise vulns

A pair of newly disclosed vulnerabilities in a widely used remote desktop access application beloved of managed services providers (MSPs) is drawing comparisons to the July 2021 cyber attack on Kaseya, with security experts describing exploitation as trivial.

The product in question, ConnectWise ScreenConnect, is widely used by remote workers and IT support teams alike. The first vulnerability enables a threat actor to achieve authentication bypass using an alternate path or channel and is tracked as CVE-2024-1709. It carries a critical CVSS score of 10, and has already been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue. Thile the second is a path traversal issue, tracked as CVE-2024-1708, which carries a CVSS score of 8.4.

ConnectWise has released fixes for the issue, and says cloud partners are remediated against both already, while on-premises partners should immediately update to version 23.9.10.8817. More information, including indicators of compromise (IoCs) is available here.

ConnectWise confirmed it was aware of and investigating notifications of suspicious activity around the two vulnerabilities, and on 21 February confirmed observed, active exploitation after proof-of-concept exploit code hit GitHub.

“Anyone with ConnectWise ScreenConnect 23.9.8 should take immediate steps to patch these systems. If they cannot patch immediately, they should take steps to remove them from the internet until they can patch. Users should also check for any indications of possible compromise given the speed with which attacks have followed these patches,” said Sophos X-Ops director Christopher Budd.

“The pairing of an exploitable vulnerability with external remote services is a significant factor in real-world attacks, as evidenced in the Active adversary report for tech Leaders based on incident response cases. External remote services are the number one initial access technique; while exploiting a vulnerability was the second most common root cause, at 23%, it has been the most common root cause in the past.

“This real-world data shows how powerful this combination is for attackers and why in this significantly elevated threat environment, vulnerable ConnectWise customers need to take immediate action to protect themselves,” he added.

Following ConnectWise’s initial disclosure notice, researchers at Huntress Security worked overnight to tear down the vulnerability, understand how it worked, and recreate the exploit.

Hanslovan said that the initial disclosure had been very sparse on technical details, and for good reason, but following publication of the PoC exploit code, the cat was now well and truly out of the bag. He described exploitation as “embarrassingly easy”.

“I can’t sugercoat it, this s**t is bad,” said Kyle Hanslovan, Huntress CEO. “We’re talking upwards of ten thousand servers that control hundreds of thousands of endpoints…. The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all. Hospitals, critical infrastructure, and state institutions are proven at risk.”