Researchers have discovered a vulnerability in the ScreenConnect remote support software that upon a successful exploitation, can allow for remote execution on a targeted server. Continue reading this Cybersecurity Threat Advisory to learn how to keep your environment safe.
What is the threat?
The ViewState code injection vulnerability in ScreenConnect versions 25.2.3 and earlier poses a significant threat. It allows authenticated users to potentially execute arbitrary code on the server. This vulnerability allows attackers to exploit the ASP.NET ViewState mechanism by manipulating it after gaining access to the machine keys used for encoding. If exploited, this could lead to unauthorized access on the affected server, enabling an attacker to perform remote code execution (RCE) attacks on the web server hosting the ASP.NET application.
Why is it noteworthy?
This vulnerability exploits the ASP.NET ViewState mechanism, which is used in web applications to maintain the state of user interactions. If attackers gain access to the machine keys that protect this data, they can craft malicious ViewState payloads, compromising the integrity and confidentiality of the server. Organizations must take prompt action to mitigate this vulnerability. Given the widespread use of ASP.NET in enterprise environments with ScreenConnect, organizations must promptly act to mitigate this vulnerability.
What is the exposure or risk?
The risk from the ViewState code injection vulnerability in ScreenConnect lies in the potential for attackers to execute arbitrary code on the server. This exposure can compromise the security and integrity of the entire remote support environment.
What are the recommendations?
Barracuda recommends the following to protect your environment:
- Update to ScreenConnect version 25.2.4 or later to address the ViewState code injection vulnerability.
- Enable multi-factor authentication for all user accounts by accessing ScreenConnect to enhance security and reduce the risk of unauthorized access.
- Continuously monitor remote support sessions for any unusual activity or unauthorized access attempts.
- Create an incident response plan that outlines procedures to identify, contain, and remediate exploitation attempts related to ScreenConnect, and train all relevant personnel on their roles during a security incident.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
