[ad_1]
On February 19, 2024, ConnectWise launched a safety advisory for its distant monitoring and administration (RMM) software program. The advisory highlighted two vulnerabilities that affect older variations of ScreenConnect and have been mitigated in model 23.9.8 and later. ConnectWise states within the advisory these vulnerabilities are rated as “Important—Vulnerabilities that would permit the power to execute distant code or immediately affect confidential information or essential methods”. The 2 vulnerabilities are:
CVE-2024-1709 (CWE-288) — Authentication Bypass Utilizing Alternate Path or Channel
Base CVSS rating of 10, indicating “Important”
CVE-2024-1708 (CWE-22) — Improper Limitation of a Pathname to a Restricted Listing (“Path Traversal”)
Base CVSS rating of 8.4, nonetheless thought of “Excessive Precedence”
Cloud-hosted implementations of ScreenConnect, together with screenconnect.com and hostedrmm.com, have already acquired updates to deal with these vulnerabilities. Self-hosted (on-premise) cases stay in danger till they’re manually upgraded, and it’s our advice to patch to ScreenConnect model 23.9.8 instantly. The improve is offered on ScreenConnect’s obtain web page.
On February 21, proof of idea (PoC) code was launched on GitHub that exploits these vulnerabilities and provides a brand new person to the compromised system. ConnectWise has additionally up to date their preliminary report to incorporate noticed, energetic exploitation within the wild of those vulnerabilities.
What you need to do
Verify whether or not you’ve gotten an on-premise deployment of ScreenConnect
If an on-premise model is current in your atmosphere and isn’t on 23.9.8 or later, proceed to improve to the latest model
If an on-premise model is current in your atmosphere and already on 23.9.8 or later, you aren’t in danger and no additional motion is critical
If not on-premise and are as a substitute cloud-hosted, you aren’t in danger and no additional actions are needed
In case your deployment is managed by a third-party vendor, verify with them they’ve upgraded their occasion to 23.9.8 or later
If patching isn’t attainable, be sure that the ScreenConnect server isn’t accessible to the Web till the patch might be utilized
As soon as patching has been accomplished, carry out a radical overview of the ScreenConnect set up on the lookout for unknown accounts and irregular server exercise.
What Sophos is doing
Sophos is actively monitoring the continuing developments with these ScreenConnect vulnerabilities and their exploitation. The next detection guidelines had been beforehand carried out to determine abuse of ScreenConnect and are nonetheless viable for figuring out post-exploitation exercise.
WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1
WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1
WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1
We’re persevering with to make sure safety and detection protection as modifications occur and have launched a prevention rule (ATK/SCBypass-A) and are testing related network-based (IPS) signatures to fight the general public proof of idea and different future abuse.
For MDR (Managed Detection and Response) prospects, we now have initiated a customer-wide menace looking marketing campaign, and our MDR analysts will promptly attain out if any exercise is noticed. Our MDR group will probably be diligently monitoring our buyer environments for suspicious conduct and responding as needed. We’ll present additional updates as extra info turns into obtainable.
Acknowledgements
Anthony Bradshaw, Paul Jaramillo, Jordon Olness, and Benjamin Sollman assisted within the improvement of this put up.
[ad_2]