A important vulnerability patched this week within the ConnectWise ScreenConnect distant desktop software program is already being exploited within the wild. Researchers warn that it’s trivial to use the flaw, which permits attackers to bypass authentication and achieve distant code execution on programs, and proof-of-concept exploits exist already.
ScreenConnect is a well-liked distant assist software with each on-premises and in-cloud deployments. In response to ConnectWise’s advisory launched Monday, the cloud deployments hosted at screenconnect.com or hostedrmm.com have routinely been patched, however prospects have to urgently improve their on-premises deployments to model 23.9.8.
Data from web scanning service Censys confirmed over 8,000 weak ScreenConnect servers when the vulnerability was disclosed. Nevertheless, the influence of a profitable exploit might prolong previous the server itself since a single ScreenConnect server might present attackers with entry to a whole bunch or 1000’s of endpoints — even throughout a number of organizations if the server is run by a managed service supplier (MSP).
Attackers have exploited vulnerabilities in distant monitoring and administration (RMM) instruments utilized by MSPs previously to achieve entry to their prospects’ networks, they usually additionally abused such instruments for command-and-control in different assaults. Final month, the US Cybersecurity and Infrastructure Safety Company (CISA), the Nationwide Safety Company (NSA), and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC) issued a joint advisory a couple of malicious marketing campaign that concerned phishing emails that led to the obtain of legit RMM software program, corresponding to ScreenConnect and AnyDesk, that attackers then used to steal cash from victims’ financial institution accounts in a refund rip-off.
In its unique advisory, ConnectWise stated there was no proof of the 2 vulnerabilities it disclosed being exploited within the wild, however in the future later it up to date its advisory to warn prospects that: “We acquired updates of compromised accounts that our incident response workforce have been capable of examine and ensure.”
Authentication bypass within the ScreenConnect setup wizard
The ScreenConnect patch addresses two vulnerabilities that don’t but have CVE identifiers: An authentication bypass that’s rated with the utmost rating of 10 (Important) on the CVSS severity scale and an improper limitation of a pathname to a restricted listing, often known as a path traversal flaw, that’s rated 8.4 (Excessive).
