As exploit code appears, a critical ScreenConnect bug is currently under attack.
The two vulnerabilities ConnectWise disclosed earlier this week for ScreenConnect, its remote desktop and access software, have both technical information and proof-of-concept exploits available.
Attackers began using the security flaws in attacks a day after the vendor made them public.
The vendor identified the two security flaws as a maximum severity authentication bypass and high severity path traversal fault that affect ScreenConnect servers , 23.9.7 and earlier, and CISA has assigned CVE- 2024- 1708 to them.
In order to reduce the risk, ConnectWise advised administrators to update on-premise servers to version 23.98 right away. It also stated that any instances on screenconnect.com cloud or hostedrmm.net have been secured.
According to the company’s update to its advisory and incident response investigations, multiple ScreenConnect accounts have been compromised by threat actors.  ,
Huntress, a cybersecurity company, has examined the vulnerabilities and , and it is is cautioning against creating an exploit.
Additionally, the business claimed that more than 8,800 exposed ScreenConnect servers were visible on Monday’s Censys platform. According to a report from The ShadowServer Foundation, there were about 3,800 people there yesterday.
Following ConnectWise’s announcement of the two vulnerabilities and the ongoing publication of more, the first functional exploits appeared quickly. In order to encourage businesses to move more quickly with corrective actions, Huntress was inspired to share its in-depth analysis and demonstrate how simple it is to create an exploit.
simple to identify and take advantage of
By examining the code modifications the vendor made with the patch, Huntress discovered the two flaws.
The setup wizard ( also known as SetupWizard ) was n’t secured against all access paths, which was the first flaw they discovered in a text file. ‘.aspx ‘
This suggested that even in the most vulnerable versions, users might still be able to use the setup wizard after ScreenConnect had already been configured thanks to a specially crafted request.
A user could set up a new administrator account and use it to manage the ScreenConnect instance because the setup wizard permitted it.
Another specially designed request that enables accessing or editing files outside the intended restricted directory makes it possible to leverage the path traversalbug.
By observing code changes on the” ScreenConnect,” the flaw was discovered. Core. When applications fail to properly sanitize the file extraction path, a vulnerability known as dll’file pointing to ZipSlip is discovered, which could cause sensitive files to be overwritten.
In order to stop file writing outside of designated subdirectories within ScreenConnect’s folder, ConnectWise updates introduce , which imposes stricter path validation when extracting ZIP file contents.
The User can be accessed or manipulated with administrative access from the previous exploit. To push the file system past the intended boundaries, create requests that include directory traversal sequences and nbsp for xml files and other sensitive files.
The attacker may eventually upload a payload outside the ScreenConnect subdirectory, such as an executable or malicious script.
embedded content
Based on the artifacts produced when the aforementioned flaws are exploited, Huntress shared indicators of compromise ( IoCs ) and analytical detection guidance.
It is strongly advised for administrators to use the detections to look for unauthorized access if they have n’t applied the security updates.
Week 6 of” The Good, the Bad, and the Ugly in Cybersecurity”ScreenConnect administrators are urged by ConnectWise to fix a serious RCEbug
(Opens in a new browser tab)ConnectWise ScreenConnect Software Has Been Found to Have Critic Flaws; Patch Now
Two vulnerabilities are raised by ConnectWise.
(Opens in a new browser tab)LockBit ransomware attacks hacked ScreenConnect servers.(Opens in a new browser tab)(Opens in a new browser tab)