SUBJECT: Urgent Patch Required: Critical Authentication Bypass Vulnerability in ConnectWise ScreenConnect (CVE-2024-1709)
TECH STACK: ConnectWise ScreenConnect
DATE(S) ISSUED: 02/21/2024
NVD Last Modified: 02/22/2024
CRITICALITY: Critical (Base Score 10.0)
OVERVIEW:
ConnectWise ScreenConnect versions 23.9.7 and earlier are vulnerable to a critical authentication bypass vulnerability (CVE-2024-1709).
This vulnerability allows attackers to bypass authentication and gain unauthorized access to confidential information and critical systems. Attackers are actively exploiting this vulnerability, making it essential to take immediate action.
What Attackers Can Do With CVE-2024-1709?
- Gain unauthorized access to confidential information: This includes sensitive data like customer records, financial information, intellectual property, and personally identifiable information (PII).
- Attackers can use this information for various malicious purposes, such as identity theft, fraud, or blackmail.
- Install malware or ransomware: Once attackers have access to a system, they can install malware or ransomware to disrupt operations, encrypt data, and demand ransom payments.
- Disrupt or disable critical systems and services: Attackers can manipulate or disable critical systems and services, causing significant downtime and financial losses.
- Move laterally within the network: By compromising one system, attackers can use it as a springboard to move laterally within the network and compromise other systems, potentially escalating their access and impact.
- Launch further attacks against other targets: The compromised system can be used to launch further attacks against other targets within the organization or even external targets.
- Exfiltrate sensitive data from the organization: Attackers can steal sensitive data from the organization and sell it on the dark web or use it for other malicious purposes.
Why this vulnerability is critical:
- Ease of exploitation: This vulnerability is easy to exploit, requiring minimal technical skill. This makes it more likely that attackers will be able to successfully exploit it.
- Widespread impact: ConnectWise ScreenConnect is a popular remote desktop software used by many organizations. This means that a large number of systems are potentially vulnerable to this attack.
- Active exploitation: Attackers are already actively exploiting this vulnerability in the wild. This means that organizations need to take immediate action to patch their systems.
SOLUTION/MITIGATION:
The ONLY effective mitigation is to upgrade to ConnectWise ScreenConnect version 23.9.8 or later as soon as possible.
- While patching, restrict access to the ScreenConnect server to only authorized personnel.
- Enable multi-factor authentication (MFA) for all ScreenConnect accounts.
- Monitor for suspicious activity and investigate any potential unauthorized access attempts.
- Consider implementing additional security measures, such as network segmentation and intrusion detection/prevention systems (IDS/IPS).
Additional mitigation steps:
- Verify that you have successfully upgraded to ConnectWise ScreenConnect version 23.9.8 or later.
- Refer to the ConnectWise Security Bulletin for detailed instructions and troubleshooting.
- Stay informed about the latest developments regarding this vulnerability by following ConnectWise and security industry resources.
Confirmation & Additional Information:
- It is important to understand how this vulnerability is being exploited to mitigate the risk effectively. Attackers are using various techniques, including exploiting a specific API endpoint and manipulating request parameters.
- The criticality of this vulnerability is due to its potential for widespread impact and the ease of exploitation.
- Prompt patching is critical to protect your organization from this serious security threat.
REFERENCES:
For additional support, please reach out to us at support@cyrisk.com
