Advisory Overview
ConnectWise issued a warning to its MSP customers about a security vulnerability found in Automate, a remote management platform, in which the API can be used by a remote user to make modifications to the Automate instance.
Technical detail and additional information
What is the threat?
If a threat actor is able to access the Automate API, the vulnerability allows for that user to make configuration changes to the instance remotely. Additionally, ConnectWise issued a warning about phishing campaigns against ConnectWise Control customers and Automate intrusion attempts in May 2020, illustrating a clear threat targeting the platform.
What is the exposure or risk?
Automate is a widely used platform across MSP customers and the vulnerability effects both Cloud and On-Prem solutions.
What are the recommendations?
ConnectWise has issued a statement saying that they have “applied mitigating controls to block any potential exploitation and has applied the hotfix across all environments as of 8:45 pm Eastern Time, June 10, 2020. The vast majority of partners are on Cloud 2020.5 — which contains the hotfix. For the small majority that are not on Cloud 2020.5, a mitigation is in place and a hotfix push is imminent.”
For customers utilizing the On-Prem instance or an older version of the Cloud instance, SKOUT recommends that they update to version 2020.5 or introduce the mitigation controls that can be found at the reference found below.
A statement and instructions from ConnectWise can be accessed here.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.msspalert.com/cybersecurity-news/connectwise-control-automate-security-alerts/
- https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Supportability_Statements/Supportability_Statement%3A_ConnectWise_Automate_Mitigation_Steps
If you have any questions, please contact our Security Operations Center.