ConnectWise ScreenConnect 23.8 Security Fix
Date: 11/20/2023
Product(s): ConnectWise ScreenConnect, ConnectWise Automate (cloud instances only where ScreenConnect is installed)
Severity: Important
Priority: 1—High
Vulnerability
CVE-2023-47256: ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings.
CVE-2023-47257: ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.
Severity
Important—Vulnerabilities that could compromise confidential data or other processing resources but require additional access / privilege to do so.
Priority
1—Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g., within days).
Affected versions
ConnectWise ScreenConnect versions 23.8 and earlier are impacted, in addition to ConnectWise Automate cloud instances where ScreenConnect is installed.
Remediation
CLOUD:
Cloud instances are being automatically updated on a rolling schedule; however, administrators can manually force this update through cloud.screenconnect.com. See the following steps to upgrade:
- https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/Get_started/Cloud_portal/Instances_page/Upgrade_a_cloud_instance
- Update guest clients to the server version Reinstall and upgrade an access agent - ConnectWise
ON-PREMISE:
Please upgrade to ScreenConnect version 23.8.5 and update your guest clients to the same version.
Automate partners with ConnectWise ScreenConnect:
For Automate partners with the ScreenConnect plugin, to check if a new build has been released for your ScreenConnect installation visit: Upgrading ConnectWise ScreenConnect via the Plugin.