A critical vulnerability was discovered within the ConnectWise Recover and R1Soft Server Backup Manager. The vulnerability is described by ConnectWise as “improper neutralization of special elements in output used by a downstream component”. Successful exploitation of the vulnerability would allow a threat actor to execute remote code or directly access confidential data. Barracuda’s MSP recommends updating the affected ConnectWise Recover SBMs and upgrading the server backup manager as soon as possible with the latest patch released for the vulnerability.
What is the threat?
The vulnerability impacts ConnectWise Recover v2.9.7 and earlier versions and R1Soft SBM v6.16.3 and earlier versions. The impacted versions construct all or part of a command, data structure, or record using externally influenced input from an upstream component, but it does not verify the assumptions for user-controlled input when sent to a downstream component which can lead to injection attacks.
Why is it noteworthy?
Improper neutralization of special elements in output used by a downstream component is a critical severity vulnerability. ConnectWise also tagged it as a high-priority issue, as a flaw that’s either exploited in attacks or at a high risk of being targeted in the wild. “The vulnerability can be used to “push ransomware” through thousands of R1Soft servers exposed on the Internet, according to Huntress Labs CEO Kyle Hanslovan. According to a Shodan scan, more than 4,800 Internet-exposed R1Soft servers are likely exposed to attacks if they haven’t been patched since ConnectWise has released patches for this RCE bug.” (BleepingComputer).
What is the exposure or risk?
The vulnerability allows attackers to access confidential data or execute code remotely. With this RCE bug, exploiters can gain access to on a target machine across the internet, wide area network, or local area network and completely take over a vulnerable application. Affected software versions include ConnectWise Recover or earlier and R1Soft SBM v6.16.3 or earlier, R1Soft servers that aren’t patched with the latest version are vulnerable to a significant security incident.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an improper neutralization of special elements in output used by a downstream component vulnerability:
- ConnectWise Recover- update to the latest version of Recover (v2.9.9). (Should have been updated automatically)
- R1Soft- upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/connectwise-fixes-rce-bug-exposing-thousands-of-servers-to-attacks/amp/
- https://www.cybersecurity-help.cz/vdb/cwe/74/
- https://www.bugcrowd.com/glossary/remote-code-execution-rce/
- https://www.connectwise.com/company/trust/security-bulletins/r1soft-and-recover-security-bulletin
If you have any questions, please contact our Security Operations Center.
