Executive summary
On 19 February 2024, ConnectWise disclosed two critical vulnerabilities in its ScreenConnect remote desktop application, impacting all versions to v23.9.7:
- CVE-2024-1709, an authentication bypass with a CVSS score of 10.0 (critical), allows attackers unauthenticated access to confidential data and systems.
- CVE-2024-1708, a path traversal vulnerability (CVSS score 8.4), amplifies the impact of CVE-2024-1709, potentially enabling remote code execution.
These vulnerabilities are likely to be targeted soon, posing a significant threat to organisations using ScreenConnect. Immediate patching and enhanced security measures are crucial.
Technical analysis
CVE-2024-1709 (authentication bypass): This vulnerability stems from an undisclosed flaw in ScreenConnect's authentication mechanism, allowing attackers to bypass authentication altogether. Exploiting this vulnerability requires minimal technical expertise and can be achieved through specifically crafted requests.
CVE-2024-1708 (path traversal): This vulnerability allows attackers to access files and directories outside their intended scope. When combined with CVE-2024-1709, attackers can leverage this vulnerability to gain unauthorised access to sensitive information or execute arbitrary code on the affected system.
Impact analysis
These vulnerabilities pose a significant threat to organisations using ScreenConnect, with potential consequences including:
- Data breaches: Sensitive data, such as user credentials, financial information, and intellectual property, can be compromised and exfiltrated.
- System outages: Attackers can gain control of systems, leading to disruptions, data manipulation and potential data encryption.
- Financial losses: Data breaches, system outages, and ransomware attacks can incur significant financial losses.
- Reputational damage: Organisations may face reputational damage due to data breaches and security incidents.
Mitigation strategies
Patch immediately: Update ScreenConnect to the latest version (23.9.8) as soon as possible. Patches are available for on-premise and cloud deployments. ScreenConnect servers hosted in screenconnect[.]com cloud or hostedrmm[.]com have been updated to remediate the issue, and no end user action is required.
Enable multi-factor authentication (MFA): Implement MFA for all ScreenConnect users to add an extra layer of security.
Review user permissions: Grant users only the minimum level of access required for their roles.
Monitor activity: Monitor for suspicious activity and unauthorised login attempts.
Segment networks: Segment networks to limit the potential impact of an attack.
Deploy security solutions: Implement endpoint security solutions and intrusion detection/prevention systems (IDS/IPS) to detect and prevent malicious activity.
Proof of concept
A proof of concept (PoC) has been published on GitHub by Watchtowr. This PoC exploits an authentication bypass to add a new administrator within ConnectWise ScreenConnect.
Conclusion
The recent ScreenConnect vulnerabilities pose a serious threat to organisations. There are published PoCs and guides that will likely enable malicious actors to begin targeting these vulnerabilities.
Prompt patching and implementing robust security measures will be crucial to mitigating the risks. Continuous monitoring and vigilance are essential to stay ahead of evolving threats and protect valuable data and systems.
Orbit Security
Security ratings for enhanced attack surface management and third-party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.