ConnectWise provides a management platform that helps Managed Service Providers (MSPs), resellers, and other IT solutions providers remotely monitor, manage, and automate the IT technologies they deploy at their customers’ sites. Recently, ConnectWise patched multiple vulnerabilities in their ConnectWise Control products. Unfortunately, the patch failed to resolve some of these vulnerabilities.
Last year, researchers from Bishopfox found eight vulnerabilities in the ConnectWise client, reported them to the company, and received the threat of a defamation lawsuit in response. ConnectWise made attempts to fix the vulnerabilities, but according to Huntress Labs, some vulnerabilities were left unresolved. Without additional mitigations, the unresolved ConnectWise vulnerabilities leave some MSPs at risk.
Fortunately, exploiting these vulnerabilities individually doesn’t give an attacker enough access to disrupt access or steal data, but the vulnerabilities make gathering the required information to get this access much easier, such as capturing credentials. However, attackers can combine some of these vulnerabilities to gain a higher level of access to ConnectWise. That said, whether used individually or together, these vulnerabilities require some form of user/victim interaction to succeed. If you keep close track of a site’s address and don’t click on suspicious links, you probably won’t run afoul of these vulnerabilities. That said, we know it’s not always possible to ensure everyone examines links 100% of the time. In this article, we’ll go over each vulnerability and how to best mitigate them.
- Appearance Modifier XSS
This Cross-Site Scripting (XSS) vulnerability involves the ability to make changes to the ConnectWise Control login page. An XSS vulnerability happens when the server doesn’t properly review or sanitize user input. If not properly sanitized by the server, an adversary could inject additional HTML or JavaScript code into web requests and posts. The server then executes that code as if it were its own, possibly allowing attackers to access many aspects of your web application that they shouldn’t. There are generally two common types of XSS vulnerabilities, stored (persistent) and reflected. Nowadays reflected XSS flaws seem more common and require user interaction (clicking a specially crafted link) to succeed. In ConnectWise, a form in the login settings allow someone to do just that. While adversaries need administrative access to exploit the vulnerability, if someone found a work-around it would be trivial to add a script to the login page and steal credentials. ConnectWise didn’t fully fix this vulnerability but they do prevent the trial version of ConnectWise from allowing any script in this field. An attacker using this vulnerability will likely use a trial version of ConnectWise to exploit the vulnerability. We get why ConnectWise hasn’t completely fixed this. In order to enable users to customize the login page, they must allow them to add some code on this page. While we believe ConnectWise could secure the page and allow some customization, changing the login page requires admin privileges already, so we don’t think this flaw poses a huge risk. If someone already has administrative access to your ConnectWise platform, you have bigger problems to deal with. Nonetheless, you can further mitigate the issue by implementing good authentication practices. Strong passwords help. We recommend using passphrases of 15 characters or longer and using a password manager to secure your passphrases. You can also implement multi-factor authentication (MFA) on this login, which we very highly recommend.
- CORS Misconfiguration
A misconfiguration with Cross-Origin Resource Sharing (CORS) allows access to restricted content from other domains. Without getting too deep into the details of how a web server provides content, when a server with CORS receives a request for certain types of data it checks that the request comes from an approved domain. Otherwise the request is dropped. Sites that don’t configure CORS properly reply to content requests without domain name verification on the page. This may allow requests for content not normally allowed to a user at that time and could leak user information. To fix this, ConnectWise correctly configured CORS on their website.
- CSRF Misconfiguration
This Cross-Site Request Forgery (CSRF) vulnerability allows malicious websites that run JavaScript code or PHP on the user’s computer to access data on vulnerable sites. For example, let’s say you have an online stock profile. When you access your stocks you normally don’t need to log in. But a vulnerable online stock website may allow a trade if the “trade” button is hidden inside a malicious form. The form may trick you into clicking the button by saying “click here to view the video” or “get rich quick” – hiding the fact that you will buy stocks for company you didn’t intend to buy. ConnectWise fixed this vulnerability for web pages that allow user input. Some areas of the site do allow CSRF and don’t have CORS configured but these areas only allow read access.
- Personally Identifiable Information (PII) Disclosure
ConnectWise leaked email addresses and zip codes to anyone that found the user’s InstanceID. Each instance of ConnectWise used by the MSP or whomever signs up for their cloud service, gets an InstanceID associated with the account. Making a request to cloud.screenconnect.com/scripts/Service/GetScripts with the correct instance ID returns information about the account including the email address and zip code that could help an attacker identify security programs used by the MSP and bypass them. Hackers can easily guess or brute force short InstanceIDs of only six alphanumeric characters. ConnectWise patched this by removing the email addresses and zip codes from the response, but adversaries can still enumerate the IDs and perhaps use then later for other malicious purposes. Increasing the ID length would make this much more difficult, but ConnectWise hasn’t done this yet.
- User Enumeration
ConnectWise fixed a user enumeration issue that allowed anyone on the Internet to identify if a particular user account existed in ConnectWise Control. This could provide attackers a valuable detail that could help them brute force accounts. ConnectWise has completely fixed this, so it is no longer an issue if you’ve applied the patch.
- Remote Code Execution
The ConnectWise Control server contains a vulnerability that allows remote code upload and execution from administrative users. This upload and execute capability could allow attackers access to the backend server instance and sensitive files. ConnectWise prevented the execution of uploaded data to mitigate this vulnerability.
Bishopfox’s advisory also detailed two other low-impact vulnerabilities in ConnectWise Control that the company hasn’t yet patched. Specifically, flaws involving HSTS and Content Security Policy (CSP). CSP creates a layer of security between the server and client that mitigates XSS. It Checks that the source of a script comes from a trusted domain like how CORS works. Doing this ensures the server only runs scripts from trusted domains. Additionally, CSP helps to prevent Man-In-the-Middle attacks, where an attacker could listen in on the traffic. CSP gives the option to enforce encryption for all traffic. According to Huntress labs, ConnectWise claims they will fix these in the future.
Additionally, there is a flaw where an insecure cookie scope, where the scope of the cookie includes areas of the domain not controlled by the original domain owner, allows a malicious subdomain to access data from another subdomain. For example if your own [compA].screenconnect.com and you visit a pretend malicious subdomain [compB].screenconnect.com they could read your CloudAuth token. This could allow the malicious actor to upload files. Combined with the previous remote execution vulnerability, if you visit the malicious subdomain, [compB] could steal the CloudAuth token and execute code on your instance to access your backend server directly. ConnectWise fixed this issue, so be sure to patch.
While the latest ConnectWise update didn’t fix all eight vulnerabilities, it does fix most of them. If you’re an MSP, or any other service provider who uses ConnectWise Control, we highly recommend you apply all ConnectWise’s available patches immediately. Furthermore, continue to monitor ConnectWise for updates for the unpatched issues. We also recommend you implement some type of web filtering solution to block malicious sites, ensure your antivirus is up to date, and enable MFA. By taking these steps, you will mitigate these vulnerabilities.
As a reminder, currently sophisticated cyber criminals are actively targeting MSPs. They have successfully breached many MSPs’ defenses using various techniques, and then leverage that MSP access to install ransomware onto the MSP’s customer computers. In many cases, they have leveraged flaws or weaknesses in RMM and PSA tools, like ConnectWise Control or Kaseya VSA. These flaws present an ideal attack surface to continue such MSP attacks. You should fix them with utmost priority.