[SOLVED] Connectwise Control / Screenconnect security issues

[fencepost]

Anyone using this self hosted should absolutely be making sure you're FULLY up to date and also actively watching for further updates. Not sure what you can do if using the cloud service. I think some of the vulnerabilities would likely only be relevant in targeted attacks, but still worth keeping an eye on.

Possibly a dedicated browser used only for this and never used for any other purposes? Only accessing the server in private mode?

https://www.crn.com/news/managed-se...ecurity-vulnerabilities-are-severe-bishop-fox

https://www.crn.com/slide-shows/man...uestions-for-security-researcher-bishop-fox/1

https://know.bishopfox.com/advisories/connectwise-control

https://www.reddit.com/r/msp/comments/esc2p1/bishop_fox_discloses_vulnerability_findings_in/

 

[Sky-Knight]

If you're cloud hosted, you've already been patched.

If you're using any RMM and you aren't keeping it up to date... you're asking for it.

At this point it's down to, do you trust ConnectWise or not? If you do, you're fine, if you don't then start switching to a new product.

 

[alluseridsrejected]

Despite what this says, I bet they didn't have MFA turned on or they were using email for their MFA. Don't use email. Use something like DUO or google authenticator. If they hack your email, they could gain access.

 

[fencepost]

This wasn't a case where MFA mattered, it was primarily cross-site scripting. If you were in the dashboard as an admin and were surfing in another tab, JS in that second tab could send requests to your ScreenConnect.com address as you. The worst of those options would allow uploading of an extension in a zip file, which it was then possible to force execution of on the server side using basically the same mechanism.

Separate things would allow discovery of admin accounts via cycling through a 6-character identifier - when a valid identifier was provided, you'd get the admin account email address returned.

None of it would be trivially or casually exploited, but for someone who looks at MSPs as a target with a slightly-crunchy hard shell around a nice juicy sweet center of remote access to hundreds or thousands of clients? This was the kind of thing that could make for the core of a very nice spearphishing campaign.

 

[Sky-Knight]

I think the solution there is to stop using the browser. I use the thick client for Automate for a reason, there's a ton of stuff that you just can't do in the web app anyway.