On February 19, 2023, ConnectWise issued a security notification regarding two security flaws found within their ScreenConnect remote management software. The flaws identified were an authentication bypass rated at CVSS 10.0 and a path traversal rated at CVSS 8.4, neither of which had been assigned CVE IDs at that time. This article focuses on the intricate details of the authentication bypass vulnerability, with a proof of concept (POC) available for review.
Introduction
On February 19, 2023, ConnectWise issued a security notification regarding two security flaws found within their ScreenConnect remote management software. The flaws identified were an authentication bypass rated at CVSS 10.0 and a path traversal rated at CVSS 8.4, neither of which had been assigned CVE IDs at that time. This article focuses on the intricate details of the authentication bypass vulnerability, with a proof of concept (POC) available for review.
Subsequent Update: The authentication bypass flaw received a designation of CVE-2024-1709 on February 21, 2023, and was included in the CISA Known Exploited Vulnerability (KEV) catalog.
Patch Analysis
An examination of the differences between ScreenConnect versions 23.9.7.8804 and 23.9.8.8811 revealed a minor modification in SetupWizard.aspx. A new validation was implemented to ensure the initial setup process of the application was completed before accessing the SetupWizard page, which is crucial for the generation of initial user credentials.
Identification of the Vulnerability
Within the SetupModule.cs, a HTTP request filter functions to either redirect all requests to SetupWizard.aspx if the application is unconfigured, or deny access to this page once setup is complete. However, a flaw exists in the URL validation method for SetupWizard.aspx. By simply appending a slash to the URL, unauthorized access to the setup wizard is possible even post setup, exposing a significant security risk.
Indicators of Compromise
The application’s administration audit logs offer insights into recent login attempts, including IP addresses. These logs are essential for identifying any unfamiliar user activities or IP addresses.
Following the discovery, information was shared with GreyNoise, which subsequently developed a specific tag for this vulnerability, available for consultation on their platform.
Summary
This vulnerability permits unauthorized users to gain administrative control over the ScreenConnect server by creating new administrative accounts. It highlights a recurring issue seen in recent vulnerabilities, where attackers can reinitialize applications or create new initial users post-setup. A similar issue was documented in CVE-2024-0204.
Despite the lack of a CVE assignment initially, it is imperative for users of ConnectWise ScreenConnect to apply patches immediately to mitigate potential exploitation.
Updates
February 22, 2024: ConnectWise advises on-premise partners to upgrade to version 23.9.8 or newer promptly to address these security concerns. An additional mitigation has been implemented for unpatched on-premise installations, which will suspend instances not updated to version 23.9.8 or later, with instructions provided for upgrading.
February 21, 2024: Cloud partners are fully remediated against the vulnerabilities with no further action required. On-premise partners are urged to update to the latest ScreenConnect version to mitigate the vulnerabilities.
February 20, 2024: The release of ScreenConnect version 23.9.10.8817 introduces various enhancements and security fixes, emphasizing the importance of maintaining the software up to date for optimal security and performance. Additionally, ConnectWise has lifted license restrictions to facilitate updates to the latest version for all partners.
Original Bulletin
Security vulnerabilities reported on February 13, 2024, necessitate immediate updates by on-premise partners to safeguard against potential exploitation. These vulnerabilities, described under CWE-288 and CWE-22, pose a critical risk, enabling unauthorized access and directory traversal attacks.
Remediation Steps:
- Cloud-based ScreenConnect servers are already updated and secure.
- On-premise installations must upgrade to version 23.9.8 immediately for protection.
ConnectWise emphasizes the importance of upgrading to the latest software version to ensure comprehensive security against these and future vulnerabilities.
