Critical vulnerabilities in ConnectWise ScreenConnect CVE-2024-1708 & CVE-2024-1709

Two critical vulnerabilities have been discovered in ConnectWise ScreenConnect, a remote desktop and mobile support solution. When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product.

The vulnerabilities in detail

CVE-2024-1708 is a path-traversal vulnerability with a CVSS score of 8.4, affecting ScreenConnect 23.9.7 and prior. This may allow an attacker to execute remote code or directly impact confidential data or critical systems.

Also affecting ScreenConnect 23.9.7 and prior, CVE-2024-1709 is an authentication bypass using an alternate path or channel vulnerability rated CVSS 10.0. An attacker exploiting this flaw could obtain elevated permissions up to mimicking the role of a system admin and completely take over the instance, including obtaining direct access to confidential information, creating admin accounts, and deleting all other users on publicly exposed instances.

Exploitation status

While the initial advisory released by the company on 13 February 2024 mentioned no evidence that the vulnerabilities had been exploited in the wild, in recent updates, ConnectWise has acknowledged the existence of compromised accounts, indicating active exploitation of the flaws.

Also, reports from several researchers and security firms confirm that the authentication bypass vulnerability (CVE-2024-1709) requires minimal technical knowledge to be exploited, and recently, proof-of-concept exploits have been released on the web. Due to its exploitation status, it was recently added by the US Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) list.

The exact scale of the exploitation campaign is currently unknown, but according to Cybersecurity firm Huntress, over 8,800 servers are running a vulnerable version of ScreenConnect, and there are signs that the flaw has come under widespread exploitation to deliver ransomware, remote access trojans, stealer malware, and cryptocurrency miners

Remediation

We recommend immediately updating on-premise installation of ConnectWise ScreenConnect to version 23.9.8 or higher to remediate both vulnerabilities.

ConnectWise reports on their advisory that Cloud partners are remediated against both vulnerabilities, so no further action is required. Moreover, the vendor has decided to extend the support to partners no longer under maintenance and fix CVE-2024-1709 by making them eligible to install version 22.4 for free.

In their latest advisory update, the company has made available "an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later". If the application is vulnerable, "an alert will be sent with instructions on performing the necessary actions to release the server."

Update 24-02-27: New tests added

To help our customers verify if the version installed on the target systems is vulnerable to these flaws, we have released two new vulnerability tests:

• A version check test: HID-2-1-5356966 ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities
• A remote test that actively checks the exploitability of the authentication bypass: HID-2-1-5356185 Screen Connect Authentication Bypass - CVE-2024-1709