Understanding the Impact of ConnectWise ScreenConnect Vulnerabilities: A Deep Dive

In the rapidly evolving landscape of cybersecurity, the discovery of vulnerabilities within widely used software can have significant implications for organizations and their security posture.

Recently, the cybersecurity community has been alerted to two critical vulnerabilities in ConnectWise’s ScreenConnect, a popular remote desktop software application.

These vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, pose a substantial threat to systems running outdated versions of the software.

Executive Summary

On February 13, 2024, ConnectWise was informed of two critical vulnerabilities affecting ScreenConnect. These security flaws were promptly disclosed in a security bulletin by ConnectWise on February 19, following their initial report through the ConnectWise Trust Center’s vulnerability disclosure channel.

As of February 21, research conducted by Unit 42 has revealed that 18,188 unique IP addresses globally are hosting ScreenConnect, with a significant concentration in the United States. The vulnerabilities in question have been assigned high and critical severity ratings, with CVE-2024-1709 being particularly concerning due to its trivial exploitability and the availability of proof-of-concept exploits.

Detailed Analysis of Vulnerabilities

CVE-2024-1708: This vulnerability is a path traversal flaw in ScreenConnect versions 23.9.7 and earlier. It could potentially allow attackers to execute remote code or access sensitive data and critical systems. It has been rated with a CVSS severity of 8.4, denoting a high level of risk.
CVE-2024-1709: More alarming is the authentication bypass vulnerability in the same versions of ScreenConnect. This flaw permits attackers to gain direct access to confidential information or critical systems without the need for authentication. With a CVSS score of 10.0, it is classified as critical and is considered easily exploitable.

Current Scope and Global Exposure

ConnectWise has acknowledged compromised accounts, with investigations confirming the extent of the impact. A significant number of the affected IP addresses are located in the United States, but the exposure is global, affecting countries across various continents.

Mitigation Actions and Recommendations

For users of ConnectWise ScreenConnect, immediate action is required to mitigate these vulnerabilities. ConnectWise has already updated servers hosted on its cloud to address these issues, requiring no action from end users. However, organizations with self-hosted or on-premise ScreenConnect installations must apply patches as soon as possible to prevent potential exploits.

Indicators of Compromise (IoC)

ConnectWise has identified the following IoCs, which were recently used by threat actors:

155.133.5[.]15
155.133.5[.]14
118.69.65[.]60

Conclusion and Ongoing Monitoring

The discovery of CVE-2024-1708 and CVE-2024-1709 underscores the critical need for continuous vigilance and prompt action in the face of emerging cybersecurity threats.

Organizations relying on ConnectWise ScreenConnect must take immediate steps to secure their systems against these vulnerabilities.

Palo Alto Networks, through its variety of security services and products, including Cortex XDR, XSIAM, and advanced URL filtering, offers protection and mitigation strategies against such threats. Furthermore, Cortex Xpanse’s addition of specific Attack Surface Rules and a new Threat Response Center event for these vulnerabilities enhances the ability to identify and defend against potential exploits.

As the situation evolves, it’s imperative for organizations to stay informed and ready to respond to ensure the security and integrity of their systems and data.

Blackpoint Cybersecurity’s MacKenzie Brown, Nick Hyatt, and Robert Russell have an insightful discussion on the recent vulnerabilities discovered in ConnectWise’s ScreenConnect software.

While there is currently no public proof-of-concept (POC) available, Blackpoint’s Adversary Pursuit Group has developed an internal POC and found these vulnerabilities to be surprisingly easy to exploit.

In this video, they delve into the potential risks and implications of these security flaws and share how their Security Operations Center is proactively responding to protect our clients.