A security advisory for ConnectWise’s remote monitoring and management ( RMM) software was published on February 19, 2024. Two vulnerabilities that affect older ScreenConnect versions were identified by the advisory and fixed in version 23. 9. 8 and later. These vulnerabilities are classified as” Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems,” according to ConnectWise’s advisory. These two flaws are:
- Authentication Bypass Using a Different Path or Channel in CVE-2024–1709 ( CWE–288 )
- a base CVSS score of 10 that reads” Critical.”
- Pathname Improper Limitation to a Restricted Directory ( Path Traversal ) CVE 2024–1708 ( CWE–22 )
- 8.4 is still regarded as a” High Priority” base CVSS score.
Updates to address these vulnerabilities have already been made to cloud-hosted ScreenConnect implementations, such as screenconnect.com and hostedrmm.net. We advise patching to ScreenConnect version 23.9.8 right away because self-hosted (on-premise ) instances are still at risk until they are manually upgraded. The ScreenConnect download page has the upgrade available.
Proof-of-concept ( PoC ) code that takes advantage of these flaws and adds a new user to the compromised system was made available on GitHub on February 21. Additionally, ConnectWise has updated their initial report to reflect observed, active exploitation of these vulnerabilities.
what you ought to do
- Verify if ScreenConnect is being deployed on-premises.
- Upgrade to the most recent version if an on-premises version is present in your environment but is not at 23.9.8 or later.
- You are not at risk and no further action is required if an on-premise version is already on 23.9.8 or later in your environment.
- You are not at risk and no further actions are required if you are cloud-hosted rather than on-premise.
- Verify with the third-party vendor who is in charge of managing your deployment that their instance has been upgraded to 23.9.8 or later.
- Make sure the ScreenConnect server is off-limits to the Internet until the patch can be applied if patching is not possible.
- Perform a thorough inspection of the ScreenConnect installation after patching, looking for unusual server activity and unidentified accounts.
Sophos ‘ actions
Sophos is actively monitoring how these ScreenConnect vulnerabilities are being exploited. The following detection guidelines, which were previously put in place to spot ScreenConnect abuse, are still useful for spotting post-exploitation activity.
- WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1
- WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1
In order to combat public proof of concept and other potential abuse, we have published a prevention rule ( ATK/SCBypass-A ) and are testing similar network-based ( IPS) signatures. We are also continuing to ensure protection and detection coverage as changes occur.
We’ve started a customer-wide threat hunting campaign for MDR ( Managed Detection and Response ) customers, and if any activity is found, our DDR analysts will get in touch right away. In order to spot any suspicious behavior in our customer environments, our MDR team will keep a close eye on them. As new information becomes available, we will update you.
Acknowledgements
This post was developed with the help of Anthony Bradshaw, Paul Jaramillo, Jordon Olness, and Benjamin Sollman.