Advisory Overview
Multiple security vulnerabilities in ConnectWise Control were recently disclosed. Anyone using the MSP focused software should immediately update to the newest version and be on the lookout for future updates. ConnectWise has responded to the disclosure and issued a matrix addressing each vulnerability.
Technical detail and additional information
What is the threat?
Researchers from the security company Bishop Fox uncovered eight vulnerabilities while conducting research on the ConnectWise Control product. The vulnerabilities range from low to high severity and when looked at all together, they can be considered attack chaining. Using the vulnerabilities together as a chain attack would allow an attacker to execute arbitrary code on a victims Control server and also gain full control of any client desktop machines connected to a victims control instance. When referring to the software as a service (SaaS), once the attacker gains access to the Control server, this could give them access to all AWS S3 buckets or EC2 instances. The other form of attack is on the actual client machine where the ConnectWise application is installed. Without cross-site request forgery protection, an attacker can execute JavaScript code within the web browser that starts to exploit the cross-site scripting vulnerability. ConnectWise confirmed they fixed six of the eight vulnerabilities by October of 2019, the two remaining areas of remediation being Cross-Site Scripting and Security Headers. The company recently stated:
“ On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.“
Eight vulnerabilities identified:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Cross-Origin Resource Sharing Misconfiguration (CORS)
- Remote Code Execution
- Information Disclosure
- User Enumeration
- Missing Security Headers
- Insecure Cookie Scope
Why is this noteworthy?
ConnectWise is one of the top leaders in the remote monitoring and management (RMM) space. They have become the go-to software solution for MSP’s to grow their business. ConnectWise has also been tied to security issues in the past. In April of 2019 the Control product was used in the Wipro hack. In August of 2019 they were involved in a ransomeware incident in Texas where an MSP had its network hacked using an on-premise version on ConnectWise Control, which led to 22 networks throughout Texas being locked behind encryption keys.
Solarwinds, another big leader in RMM for MSPs, also experienced a zero-day vulnerability in their remote monitoring and management tool n-Central, which was tested by security researchers and worked to successfully retrieve the administrative credentials of an account holder. This is important to note since both ConnectWise and Solarwinds are two of the most used remote monitoring and management tools for MSPs but they can still easily become susceptible to security vulnerabilities that ultimately end up causing severe damage to companies.
What is the exposure or risk?
ConnectWise has over 100,000 IT professionals using their software to conduct business operations. Misconfigured services can lead to highly confidential data being stolen and accessed by cybercriminals. With full control, attackers can copy and exfiltrate data to use it for malicious intent. Cybercriminals can exploit attack chaining to gain access to multiple services that should only be attainable for the respected users. Multiple vulnerabilities were discovered during research, and this not only puts the services of the provider at risk but can also threaten all their clients’ networks and personal information.
What are the recommendations?
- Security and awareness training should be established for business to educate employees and end-customers on the importance of staying vigilant when dealing with cybersecurity and its constant malicious threats.
- CSRF-prevention tokens should be implemented for all endpoints that modify data to further enhance security.
- ConnectWise released a summary matrix of the analyses and their response to the matter: https://www.connectwise.com//-/media/documents/connectwisecontrolsecurityevaluationmatrix
- ConnectWise launched a security trust site which will be the primary source for information regarding security incidents, alerts, critical patches, and product updates: https://www.connectwise.com/company/trust
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.crn.com/news/security/blue-chip-msp-synoptek-hit-by-ransomware-paid-ransom-to-extortionists-report
- https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack
- https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/
If you have any questions, please contact our Security Operations Center.