UPDATE--Attackers are actively exploiting the critical authentication bypass in the ConnectWise ScreenConnect software disclosed on Monday and there is now proof-of-concept exploit code available for the flaw, as well.
The flaw (CVE-2024-1709) affects all versions of ScreenConnect below 23.9.8 and researchers who’ve analyzed it found that the bug is quite easy to exploit, and there are reports of confirmed exploitation of vulnerable instances by several research and incident response teams. The Shadowserver Foundation has identified about 3,800 vulnerable instances of ScreenConnect online. But that doesn't approximte the real potential for damage, since each of those servers could controls hundreds or thousands of endpoints.
"I feel like people are sleeping on the blast radius of this. One server could have eighty or a hundred organizations managed for remote support. It’s not just about the splash, it’s the ripple that’s gonna cach people," said Kyle Hanslovan, CEO of Huntress, which has done extensive research on the vulnerability and its effects.
ConnectWise issued an advisory for the authentication bypass vulnerability, along with a path traversal bug, on Monday, but there was very little technical information in it, and for good reason as it turns out.
“There was not much information available as to what these vulnerabilities really consisted of, how they might be taken advantage of, or any other threat intelligence or indicators of compromise to hunt for. Once we recreated the exploit and attack chain, we came to the same conclusion: there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors,” researchers from Huntress wrote in an analysis.
“The ‘exploit’ is trivial and embarrassingly easy.”
ScreenConnect is a remote desktop support and administration application used in a variety of scenarios in enterprises, often for remote technical support.
"Some people don't even know they have it in their environments. They can't patch it and the best they can do is remove it," Hanslovan said.
The Huntress analysis found that the issue is related to the way the setup wizard for ScreenConnect works. A quirk in the code allows users–or attackers–to gain access to the setup wizard under circumstances that shouldn’t be allowed.
“If the request path does not match “/SetupWizard.aspx,” then the setup wizard will be allowed regardless of the setup state of the instance. This would normally not be exploitable, but .Net has weird functionality that allows URL path components after a mapped legitimate URL to be passed along to the application,” the Huntress analysis says.
“Putting this together, it means we can simply request “/SetupWizard.aspx/literallyanything” and we should be allowed to access the setup wizard on already-configured ScreenConnect instances.”
The setup wizard sets up the administrative user for the software and installing the license key. Once the initial admin user is created, which happens before the license is installed, the attacker has the ability to execute arbitrary code.
“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server,” the analysis says.
Hanslovan said the initial exploitation attempts began late Tuesday night and he worries that it could ramp up quickly, given the ease of exploitation. Also, there is a Metsploit module available that implements the exploit, which adds more urgency to the patching process.
"We know it's being exploited by initial access brokers. It's a lot of the playbook that reminds me of SolarWinds. The attackers didn't just go after government agencies, but they hit telcos and service providers. It's that one-to-many scenario that could be the same here," Hanslovan said.
ConnectWise updated its advisory on Tuesday to include confirmation of active exploitation, as well as three IP addresses known to have attempted to exploit vulnerable instances. Organizations running vulnerable on-premises instances should upgrade to the fixed version immediately.
This story was updated on Feb. 21 to add comments from Kyle Hanslovan.