ConnectWise provides a management platform that helps Managed Service Providers (MSPs), resellers, and other IT solutions providers remotely monitor, manage, and automate the IT technologies they deploy at their customers’ sites. Recently, ConnectWise patched multiple vulnerabilities in their ConnectWise Control products. Unfortunately, the patch failed to resolve some of these vulnerabilities.
Last year, researchers from Bishopfox found eight vulnerabilities in the ConnectWise client, reported them to the company, and received the threat of a defamation lawsuit in response. ConnectWise made attempts to fix the vulnerabilities, but according to Huntress Labs, some vulnerabilities were left unresolved. Without additional mitigations, the unresolved ConnectWise vulnerabilities leave some MSPs at risk.
Fortunately, exploiting these vulnerabilities individually doesn’t give an attacker enough access to disrupt access or steal data, but the vulnerabilities make gathering the required information to get this access much easier, such as capturing credentials. However, attackers can combine some of these vulnerabilities to gain a higher level of access to ConnectWise. That said, whether used individually or together, these vulnerabilities require some form of user/victim interaction to succeed. If you keep close track of a site’s address and don’t click on suspicious links, you probably won’t run afoul of these vulnerabilities. That said, we know it’s not always possible to ensure everyone examines links 100% of the time. In this article, we’ll go over each vulnerability and how to best mitigate them.
- Appearance Modifier XSS
- CORS Misconfiguration
A misconfiguration with Cross-Origin Resource Sharing (CORS) allows access to restricted content from other domains. Without getting too deep into the details of how a web server provides content, when a server with CORS receives a request for certain types of data it checks that the request comes from an approved domain. Otherwise the request is dropped. Sites that don’t configure CORS properly reply to content requests without domain name verification on the page. This may allow requests for content not normally allowed to a user at that time and could leak user information. To fix this, ConnectWise correctly configured CORS on their website.
- CSRF Misconfiguration
- Personally Identifiable Information (PII) Disclosure
ConnectWise leaked email addresses and zip codes to anyone that found the user’s InstanceID. Each instance of ConnectWise used by the MSP or whomever signs up for their cloud service, gets an InstanceID associated with the account. Making a request to cloud.screenconnect.com/scripts/Service/GetScripts with the correct instance ID returns information about the account including the email address and zip code that could help an attacker identify security programs used by the MSP and bypass them. Hackers can easily guess or brute force short InstanceIDs of only six alphanumeric characters. ConnectWise patched this by removing the email addresses and zip codes from the response, but adversaries can still enumerate the IDs and perhaps use then later for other malicious purposes. Increasing the ID length would make this much more difficult, but ConnectWise hasn’t done this yet.
- User Enumeration
ConnectWise fixed a user enumeration issue that allowed anyone on the Internet to identify if a particular user account existed in ConnectWise Control. This could provide attackers a valuable detail that could help them brute force accounts. ConnectWise has completely fixed this, so it is no longer an issue if you’ve applied the patch.
- Remote Code Execution
The ConnectWise Control server contains a vulnerability that allows remote code upload and execution from administrative users. This upload and execute capability could allow attackers access to the backend server instance and sensitive files. ConnectWise prevented the execution of uploaded data to mitigate this vulnerability.
Bishopfox’s advisory also detailed two other low-impact vulnerabilities in ConnectWise Control that the company hasn’t yet patched. Specifically, flaws involving HSTS and Content Security Policy (CSP). CSP creates a layer of security between the server and client that mitigates XSS. It Checks that the source of a script comes from a trusted domain like how CORS works. Doing this ensures the server only runs scripts from trusted domains. Additionally, CSP helps to prevent Man-In-the-Middle attacks, where an attacker could listen in on the traffic. CSP gives the option to enforce encryption for all traffic. According to Huntress labs, ConnectWise claims they will fix these in the future.
Additionally, there is a flaw where an insecure cookie scope, where the scope of the cookie includes areas of the domain not controlled by the original domain owner, allows a malicious subdomain to access data from another subdomain. For example if your own [compA].screenconnect.com and you visit a pretend malicious subdomain [compB].screenconnect.com they could read your CloudAuth token. This could allow the malicious actor to upload files. Combined with the previous remote execution vulnerability, if you visit the malicious subdomain, [compB] could steal the CloudAuth token and execute code on your instance to access your backend server directly. ConnectWise fixed this issue, so be sure to patch.
While the latest ConnectWise update didn’t fix all eight vulnerabilities, it does fix most of them. If you’re an MSP, or any other service provider who uses ConnectWise Control, we highly recommend you apply all ConnectWise’s available patches immediately. Furthermore, continue to monitor ConnectWise for updates for the unpatched issues. We also recommend you implement some type of web filtering solution to block malicious sites, ensure your antivirus is up to date, and enable MFA. By taking these steps, you will mitigate these vulnerabilities.
As a reminder, currently sophisticated cyber criminals are actively targeting MSPs. They have successfully breached many MSPs’ defenses using various techniques, and then leverage that MSP access to install ransomware onto the MSP’s customer computers. In many cases, they have leveraged flaws or weaknesses in RMM and PSA tools, like ConnectWise Control or Kaseya VSA. These flaws present an ideal attack surface to continue such MSP attacks. You should fix them with utmost priority.