CVEs: CVE-2024-1708; CVE-2024-1709
Summary
On Feb. 13, 2024, ConnectWise was notified of two vulnerabilities in their remote access tool ScreenConnect. On Feb. 19, 2024, ConnectWise publicly disclosed two new high severity and critical vulnerabilities patched in its remote access tool ScreenConnect Version 23.9.8, with the following CVEs: CVE-2024-1708 Path-Traversal vulnerability (CWE-22) and CVE-2024-1709 Authentication Bypass vulnerability (CWE-288). These vulnerabilities can be exploited to deliver Remote Access Trojans (RATs), Ransomware, Cryptocurrency miners, Stealer malware and many others.
CVE | Description | CVSSv3 | Severity |
---|---|---|---|
CVE-2024- 1709 (CWE-288) |
Authentication Bypass Using Alternate Path or Channel | 10.0 | Critical |
CVE-2024- 1708 (CWE-22) |
Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) | 8.4 | High Priority |
In the Feb. 19. 2024 security bulletin, ConnectWise released a patch and advised that all on-premises versions of ScreenConnect 23.9.7 and below must be updated immediately. Cloud instances were automatically patched. On Feb. 23, 2024, ConnectWise removed license restrictions to allow partners no longer under maintenance to upgrade to the latest version of ScreenConnect version 22.4, which will fix the critical vulnerability CVE-2024-1709. ConnectWise advised that this should be treated as an interim step.
Details of the Vulnerabilities
Together, CVE-2024-1709 and CVE-2024-1708 can allow a threat actor to perform remote code execution post authentication.
CVE-2024-1709 – Authentication Bypass
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
This vulnerability permits an attacker to create an administrative user on the ScreenConnect server, granting them complete control over the server. The setup wizard is responsible for initializing the administrative user and activating a license during the initial setup phase. The vulnerability arises from the improper validation of a request URL, where the default behavior in .NET results in the Request.Path value being the combination of the FilePath and the PathInfo trailer. Attackers can exploit this by gaining access to the setup wizard on already-configured ScreenConnect instances by simply requesting “/SetupWizard.aspx/attack”.
Upon a request to the “/SetupWizard.aspx” page, the OnBeginRequest method of the SetupModule handler is called. This method checks if the requested path matches “/SetupWizard.aspx”. If it does and the setup has already been completed, the user is redirected to the home page. If the user is not authenticated, they are then redirected to the login page.
But when attacker sends “/SetupWizard.aspx/attack” request it triggers OnBeginRequest method which checks if the requested path matches “/SetupWizard.aspx” and it returns false, that will allow the request to continue and give access of “/SetupWizard.aspx” page to create a new administrator account.
Clicking the “Next” button on the setup page, user creation takes place promptly. Consequently, there’s no necessity to fully complete the setup wizard to exploit the system; a valid license key replacement or access isn’t required. Executing this step results in a complete overwrite of the internal user database, leaving only the specified user intact while deleting all other local users.
After obtaining administrative access to a compromised instance, creating and uploading a malicious ScreenConnect extension to achieve Remote Code Execution (RCE) is straightforward. Using the extension feature of ScreenConnect we can execute code on ScreenConnect server.
CVE-2024-1708 – Path Traversal
Base score is 8.4 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
ScreenConnect incorporates the capability to install extensions, enabling users to customize remote access and support with additional features and functionality. User can install the extensions in ScreenConnect by accessing “/Services/ExtensionService.ashx/InstallExtension” with administrator permissions with JSON data.
Attacker can install the extensions in ScreenConnect by accessing “/Services/ExtensionService.ashx/InstallExtension” with administrator permissions with JSON data consisting of an array that contains encoded ZIP file in request body.
Attackers can utilize the path traversal exploit to write files within the root of the App Extensions directory.
The vulnerability occurs due to the lack of proper validation of a ZIP file. During the extraction process, the FName field in the Local File Header and the CDFName field in the Central Directory Header are not adequately checked for path traversal characters.
An attacker could exploit this vulnerability by submitting a request with a manipulated ZIP file containing “..” or “../” in these fields. When extracted, it would generate files directly within the “\ScreenConnect\App_Extensions” directory. Now that attacker has a file in “\ScreenConnect\App_Extensions”, attacker could send a request to access the newly created file, potentially leading to the execution of arbitrary commands on the target server.
Active Exploitation in the Wild
On Feb. 22, 2024, CISA added the ConnectWise new vulnerability CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Cybersecurity firm Huntress said it found more than 8,800 servers running a vulnerable version of ScreenConnect. North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.
Current Guidance
The vulnerabilities impact ScreenConnect versions 23.9.7 and prior, with fixes available in version 23.9.8.
The ConnectWise security fix bulletin indicates that ScreenConnect servers hosted in screenconnect[.]com cloud or hostedrmm[.]com have been updated to remediate the issue and no end user action (on client) is required. For those with self-hosted or on-premises deployments, the guidance is to patch as soon as possible.
ConnectWise has removed license restrictions so that older versions can be upgraded even if no longer under maintenance. ConnectWise recommends on-premise partners upgrade to remain within maintenance to gain access to all security and product enhancements.
Versa Networks Protections for ConnectWise Vulnerabilities
Versa has identified and issued the below threat prevention signatures in our latest security pack 2141 to defend against attacks on the ConnectWise vulnerabilities. These signatures are part of the Versa recommended vulnerability profile and customers will automatically get protection. Versa recommends that customers running a custom vulnerability profile select and activate the signatures to get protection. Customers can visit our Support Center to obtain more information on SPACK 2141 and follow the forum.
SID (Signature Identifier) | CVE |
---|---|
1240221030 | CVE-2024-1709 |
1240219030, 1240219031, 1000019515 | CVE-2024-1708 |
Versa Networks customers benefit from enhanced security protections provided in our products which can help to defend against threat actor exploitations of vulnerabilities.
Versa Zero Trust Network Access (ZTNA) – Provides secure remote access for employees. With this solution, remote employees can now securely connect to applications in on-premises, private and public clouds based on the principle of Zero Trust access. Versa extends secure access to the local on-premises environments, and Zero Trust access is similarly enforced for users in the branch, campus or data center, limiting lateral movement inside the network.
Versa Secure Internet Access (VSIA) with URL filtering and DNS security – Cloud-managed and cloud-delivered, Versa Secure Internet Access with advanced URL filtering and DNS security inspects all incoming and outgoing traffic for malicious exploits and known malicious domains, including those associated with the vulnerabilities, and will block associated IOCs.
Versa Next Generation Firewall (NGFW) with IPS and Advanced Threat Prevention – Provides comprehensive security coverage and can help to block attacks arising from the vulnerabilities via security packs and sandboxing, together with other elements within the VSIA product offering.
Indicators of Compromise (IOCs)
ConnectWise has identified the following IOCs, which were recently used by threat actors:
References
https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html
https://thehackernews.com/2024/03/hackers-exploit-connectwise.html
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypas
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/
https://www.cisa.gov/news-events/alerts/2024/02/22/cisa-adds-one-known-exploited-connectwise-vulnerability-cve-2024-1709-catalog