ConnectWise, a provider of remote monitoring and management (RMM) solutions, has issued a critical security advisory concerning vulnerabilities found in older versions of its ScreenConnect software.
The advisory, released on February 19, 2024, underscores two significant vulnerabilities present in earlier iterations of ScreenConnect, now addressed in version 23.9.8 and subsequent updates.
According to ConnectWise, these vulnerabilities pose a severe risk, with the potential to enable remote code execution or compromise sensitive data and critical systems. The vulnerabilities identified are as follows:
CVE-2024-1709 (CWE-288) — Authentication Bypass Using Alternate Path or Channel: Rated with a base CVSS score of 10, denoting a “Critical” severity level.
CVE-2024-1708 (CWE-22) — Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”): Assigned a base CVSS score of 8.4, still categorized as a “High Priority” issue.
Cloud-hosted implementations of ScreenConnect, encompassing domains such as screenconnect.com and hostedrmm.com, have already received updates to remediate these vulnerabilities. However, on-premise instances remain vulnerable until manually upgraded. ConnectWise strongly advises users to promptly patch their installations to ScreenConnect version 23.9.8, available for download on the ScreenConnect website.
In a related development on February 21, proof of concept (PoC) code exploiting these vulnerabilities surfaced on GitHub. This code facilitates unauthorized access to affected systems by adding a new user. ConnectWise has also updated its initial report to acknowledge observed instances of active exploitation in real-world scenarios.
Recommended Actions:
Users are urged to verify whether their deployment of ScreenConnect is on-premise.
If using an on-premise version not updated to 23.9.8 or later, immediate upgrading is advised.
Cloud-hosted deployments are already patched and not susceptible to these vulnerabilities.
Third-party vendors managing deployments should confirm they have updated to version 23.9.8 or later.
If patching is unfeasible, securing the ScreenConnect server from internet access is recommended until the update can be applied.
Following patching, users should conduct a comprehensive audit of their ScreenConnect installations for any anomalous activities or unauthorized accounts.
Sophos Response:
Sophos, a cybersecurity firm, is monitoring developments regarding these ScreenConnect vulnerabilities and their exploitation.
Existing detection rules have been bolstered to identify potential abuse of ScreenConnect. Additionally, a new prevention rule (ATK/SCBypass-A) has been deployed, with network-based (IPS) signatures currently undergoing testing to counteract the publicized proof of concept and future exploits.
For customers utilizing Managed Detection and Response (MDR) services, Sophos has initiated a proactive threat hunting campaign. MDR analysts will promptly engage with customers upon detecting any suspicious activities, providing ongoing monitoring and response as necessary. Further updates will be disseminated as additional information becomes available.
This security advisory underscores the critical importance of promptly applying software updates and maintaining robust cybersecurity measures to safeguard against evolving threats. ConnectWise and Sophos continue to collaborate closely to mitigate risks and protect users from potential exploits.
