Two vulnerabilities have been identified in ConnectWise’s ScreenConnect software, which is extensively utilized by Managed Service Providers (MSPs) for remote access. These vulnerabilities, CVE-2024-1708, which allows for authentication bypass, and CVE-2024-1709, which enables path traversal, began to be exploited shortly after their disclosure. Rated with a severity score of 10 on the CVSS due to the simplicity of exploitation and the potential impact, these issues affect versions up to 23.9.7.
CISA has acknowledged the active exploitation of CVE-2024-1709 by adding it to its Known Exploited Vulnerabilities Catalog and requested users to apply patches before February 29, 2024.
Affected and Patched Versions
ConnectWise has issued a patch, version 23.9.8, to rectify the vulnerabilities and collaborated with CISA and the cybersecurity community to inform and safeguard users. While cloud-hosted instances have already been secured, those with on-premise servers must apply the update promptly to reduce risk.
Inside the ScreenConnect Vulnerabilities
The first flaw (CVE-2024-1708) involves a new check revealing that the authentication process was vulnerable via all access paths, including the setup wizard, allowing unauthorized creation of new administrator accounts in ScreenConnect. The second flaw (CVE-2024-1709), a path traversal bug, enabled access or modification of files outside restricted directories, identified through code changes in ‘ScreenConnect.Core.dll’ related to the ZipSlip vulnerability.
ConnectWise’s update now enforces stricter path validation to prevent such exploits, addressing risks of unauthorized access and manipulation of sensitive files.
Qualys Detection
Qualys customers can scan their devices with QID 379390 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
Discover your AttackSurface with Qualys CyberSecurity Asset Management (CSAM)
The initial and crucial step in managing this critical vulnerability and mitigating associated risks involves pinpointing all assets susceptible to this specific issue.
First, go to CSAM and search for “ConnectWise ScreenConnect” across all your assets.
You’ll be able to understand how many assets have it installed with distribution by different versions.
QQL: software:(name:"ConnectWise ScreenConnect")
CSAM enriches your software inventory with the Software Product Lifecycle so that you can immediately understand which versions are already EoL/EoS (End of Support), which typically means that the software publisher will not be providing security patches.
You can expand the use of this software inventory within CSAM to create dynamic tags that allow you to organize your assets automatically for scans and dashboards, as well as Risk Prioritization workflows.
Additionally, CSAM users can create Software Authorization Rules that are tailored to the type/category of asset. For example, you can add “ConnectWise ScreenConnect” and other software as Unauthorized Software within a “Client/Desktop software policy”.
With this policy in place, you can create an Alert Rule to notify your teams anytime a new installation of unauthorized software is detected.
References:
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass