On February 19, 2024 ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect 23.9.7 and earlier. While neither vulnerability has a CVE assigned as of February 20, the two issues mentioned in ConnectWise’s advisory are:
- An authentication bypass using an alternate path or channel (CVSS 10)
- A path traversal issue (CVSS 8.4)
ScreenConnect is popular remote access software used by many organizations globally; it has also been abused by adversaries in the past. There appear to be some 7,500+ instances of ScreenConnect exposed to the public internet. The vulnerabilities are not known to be exploited in the wild as of February 20.
Security news media and security vendors are raising strong alarms about the ScreenConnect vulnerabilities, largely because of the potential for attackers to exploit vulnerable ScreenConnect instances to then push ransomware to downstream clients. This may be a particular concern for managed service providers (MSPs) or managed security services providers (MSSPs) who use ScreenConnect to remotely manage client environments.
Mitigation guidance
All versions of ConnectWise ScreenConnect before 23.9.8 are vulnerable to these (CVE-less) issues. Customers who have on-premise ScreenConnect instances in their environments should apply the 23.9.8 update immediately, per ConnectWise’s guidance.
Rapid7 customers
Our engineering team is researching new vulnerability checks for these issues. We hope to release vulnerability checks for InsightVM and Nexpose customers in tomorrow’s (February 21) content release. We will update this blog with further information and ETAs as our investigation continues.
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to these vulnerabilities:
* Attacker Technique - Remote Access Via ScreenConnect
* Attacker Technique - Command Execution Via ScreenConnect
* Suspicious Process - ScreenConnect with RunRole Argument
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/02/20/etr-high-risk-vulnerabilities-in-connectwise-screenconnect/