MSP, Vulnerability Management, Ransomware

ConnectWise Critical Vulnerability: Free Update Available

Software supply chain and Log4j

ConnectWise recently reported vulnerabilities with its ScreenConnect remote access/remote control product – one of them a “critical” and “high” priority vulnerability.

The vulnerability was so critical that on Friday, February 23, ConnectWise said it has taken the extraordinary step to support partners no longer under maintenance by making them eligible to install 22.4 at no additional cost, which will fix CVE-2024-1709, the critical vulnerability.

(The company further stated that this should be treated as an interim step and recommends on-premise partners upgrade to remain within maintenance to gain access to all security and product enhancements.)

The free support capped off a remarkable week as ConnectWise grappled to contain vulnerabilities with its remote-control software. The company said that the on-premises software should be updated immediately. Cloud-based software had been fixed.

ConnectWise Vulnerability: Background and Overview

On February 19, ConnectWise released a security advisory for its RM software, highlighting two vulnerabilities that impacted older versions of ScreenConnect and that have been mitigated in version 23.9.8 and later.

ConnectWise said in its advisory that the vulnerabilities were critical ones that could allow “the ability to execute remote code or directly impact confidential data or critical systems.”

The two vulnerabilities are CVE-2024-1709 (CWE-288), Authentication Bypass Using Alternate Path or Channel with a base CVSS score of 10, indicating “critical”, and CVE-2024-1708 (CWE-22), Improper Limitation of a Pathname to a Restricted Directory, (“Path Traversal”) with a base CVSS score of 8.4, considered “high priority.”

On February 21, proof of concept code was released on GitHub that exploits the vulnerabilities and adds a new user to the compromised system, according to Sophos. ConnectWise updated its initial report to include observed, active exploitation of the vulnerabilities in the wild.

On Feb 22, Sophos X-Ops reported through its social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware.

The statement threw cold water on the idea that threats related to the LockBit threat actor group were indeed finished after an international law enforcement action initially seemed to remove the threats.

A Sophos X-Ops visualization of the last 90 days shows a spike in activity over the last few days related to the ConnectWise vulnerability.

ConnectWise Vulnerabilities Could Spark “Ransomware Free-for-All”

Several cybersecurity vendors have released statements about the ConnectWise vulnerabilities, including a popular channel MSP and MSSP partner vendor, Huntress.

The vulnerabilities could spark a “ransomware free-for-all,” Huntress CEO Kyle Hanslovan told ChannelE2E affiliate site SC Media.

“I can’t sugarcoat it – this s--- is bad,” he said. The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”

ConnectWise CISO Patrick Beggs urged on-premises partners to patch to the latest version of ScreenConnect in a LinkedIn post last week. In another post later in the week he said that ConnectWise has taken steps to suspend non-patched versions of ScreenConnect pending on-premises partners upgrading to the latest version.

Jessica C. Davis

Jessica C. Davis is Editorial Director of CyberRisk Alliance’s channel brands — MSSP Alert and ChannelE2E. She also oversees content and programming for the MSSP Alert Live event. She has spent a career as a journalist covering the business of technology including chips, software, the cloud, AI, and cybersecurity. She previously served as Editor in Chief of Channel Insider and later of MSP Mentor where she was one of the first editors to oversee the creation and vision of the MSP 501 list.