Multiple security vulnerabilities in ConnectWise Control were recently disclosed. Anyone using the MSP focused software should immediately update to the newest version and be on the lookout for future updates. ConnectWise has responded to the disclosure and issued a matrix addressing each vulnerability.
Technical detail and additional information
What is the threat?
“ On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.“
Eight vulnerabilities identified:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Cross-Origin Resource Sharing Misconfiguration (CORS)
- Remote Code Execution
- Information Disclosure
- User Enumeration
- Missing Security Headers
- Insecure Cookie Scope
Why is this noteworthy?
ConnectWise is one of the top leaders in the remote monitoring and management (RMM) space. They have become the go-to software solution for MSP’s to grow their business. ConnectWise has also been tied to security issues in the past. In April of 2019 the Control product was used in the Wipro hack. In August of 2019 they were involved in a ransomeware incident in Texas where an MSP had its network hacked using an on-premise version on ConnectWise Control, which led to 22 networks throughout Texas being locked behind encryption keys.
Solarwinds, another big leader in RMM for MSPs, also experienced a zero-day vulnerability in their remote monitoring and management tool n-Central, which was tested by security researchers and worked to successfully retrieve the administrative credentials of an account holder. This is important to note since both ConnectWise and Solarwinds are two of the most used remote monitoring and management tools for MSPs but they can still easily become susceptible to security vulnerabilities that ultimately end up causing severe damage to companies.
What is the exposure or risk?
ConnectWise has over 100,000 IT professionals using their software to conduct business operations. Misconfigured services can lead to highly confidential data being stolen and accessed by cybercriminals. With full control, attackers can copy and exfiltrate data to use it for malicious intent. Cybercriminals can exploit attack chaining to gain access to multiple services that should only be attainable for the respected users. Multiple vulnerabilities were discovered during research, and this not only puts the services of the provider at risk but can also threaten all their clients’ networks and personal information.
What are the recommendations?
- Security and awareness training should be established for business to educate employees and end-customers on the importance of staying vigilant when dealing with cybersecurity and its constant malicious threats.
- CSRF-prevention tokens should be implemented for all endpoints that modify data to further enhance security.
- ConnectWise released a summary matrix of the analyses and their response to the matter: https://www.connectwise.com//-/media/documents/connectwisecontrolsecurityevaluationmatrix
- ConnectWise launched a security trust site which will be the primary source for information regarding security incidents, alerts, critical patches, and product updates: https://www.connectwise.com/company/trust
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.