- Select Your Region
- Region Name 1
- Region Name 2
- Region Name 3
- Region Name 4
- Region Name 5
On February 4, 2020, Huntress Labs contacted our ConnectWise Control team with a potential risk involving password resets and multi-factor authentication (MFA). Within two hours, our team mitigated the issue.
This configuration was limited to the cloud.screenconnect.com logon, which is solely for admin accounts and would require the attacker to have access to the email of the partner’s admin user. In this specific case, the password reset process sends a password reset link via email to the ConnectWise Control admin user email address on record. After completing the password reset, the user was subsequently logged in. The concern was that an attacker with access to the user’s email could have potentially leveraged the password reset functionality to gain access without the MFA challenge.
Password resets now require re-authentication, including MFA, if configured, which mitigates this potential risk.
We have verified our mitigation and have asked Huntress Labs to verify as well.
For further questions or concerns, please contact Security@ConnectWise.com.
Earlier this week, a story was published about potential security vulnerabilities with ConnectWise Control. In the spirit of transparency, I wanted to provide an update on this story and outline what has been done and what our ongoing efforts are to ensure the security of our products, your business and your customers.
In late September, ConnectWise received notification from an organization that operates as a consultant in the security space, stating they had identified eight potential vulnerabilities in ConnectWise Control. While our product and security teams felt that many of these potential vulnerabilities presented a low risk of actual attack to our partners, we take security extremely seriously and investigated, resolving six of the areas of concern by Oct 2, 2019.
While the threat landscape is ever changing, we seek to constantly and proactively manage security efforts not only through the updating of our products, but through the education of our team and collaboration with third-party security experts.
As security is of critical importance to us, here are some of things we have been doing and where we are today:
• ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. We regularly conduct penetration tests performed by both internal and external resource and have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products.
• We have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, and we are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
• In Q4 of 2019, we also invested in a comprehensive developer security training curriculum to increase the security skills of our teams and assure that our developers are training on the most recent and relevant application security coding practices.
• On January 21, 2020 we launched the ConnectWise Security Trust site, which will be a primary source of information on security incidents, relevant alerts and of course critical patches and product updates.
• We hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated. We have published a matrix outlining each potential vulnerability with the perspectives from Bishop Fox, Huntress Labs and GuidePoint Security, LLC, along with our stance on the issue and any action being taken.
• One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customization ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.
• The final identified issue is related to Security Headers. The strongest defense involves layers of security. Security Headers represent one option for implementing certain layers. In the absence of Security Headers, ConnectWise does implement security layers addressing the types of threats reported in the consultant’s assessment.
As we continue to investigate potential vulnerabilities and implement mitigation plans, we will be posting updates to our Security Trust site. I encourage you to check this site for the latest information, as well as future updates from our work with GuidePoint Security, LLC.
In our conversations with Huntress Labs to compare our findings and their results, Kyle Hanslovan, CEO of Huntress Labs has this to share:
“Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”
I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously. You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.
ConnectWise takes cybersecurity seriously and we realize that rumored and confirmed security incidents create stress and concern for our partners. Our partners and vendors can use Security@ConnectWise.com to report suspected security incidents related to our products or to inquire about a potential security incident that is associated with a ConnectWise product.
As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners. ConnectWise regularly conducts penetration tests performed by both internal and external resources. We have implemented ethical hacker training, OWASP processes, and consistently run vulnerability assessments on our systems and products. In addition, we have implemented tools that automatically evaluate behavior to reduce misuse of our products, started implementing machine learning to detect anomalies in logins, are about to launch a bug bounty program, as well as started the rollout of MFA and SSO across the platform.
Immediately after CRN published articles on January 21, 2020, about the potential vulnerabilities in ConnectWise Control, we immediately reached out to Huntress Labs to discuss their analysis and recommendations. Our conversation with Huntress Labs was collaborative and constructive, and they were receptive of our context regarding the reported issues.
We have also hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs as well as run their own independent vulnerability assessment. We look forward to sharing more information with you as we have it.
We believe that mitigating cybersecurity threats starts with understanding them. Please review the following FAQ about the security of ConnectWise Control in relation to the findings from Bishop Fox and Huntress Labs.
In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at email@example.com with any questions or to report any issues.
ConnectWise products are subject to multiple layers of security from design through testing and into operations. Products designs are aligned with security best-practices and undergo security testing prior to release and regularly in production. In addition, ConnectWise developers complete security training on an annual basis at a minimum.
Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019. Partners should always update their applications to stay current with new security patches and features.
In addition, Control supports multi-factor authentication on all internal users, and offers the ability to restrict or whitelist IPs, and further restrict access using user roles and permissions. Cloud instances are automatically secured with an SSL certificate and enabled with an HTTP-to-HTTPS redirect. In addition, Control admins have the option to enable ‘prompt for consent,’ which requires an end user to consent to connection.
ConnectWise is continually improving security communications. Most notably, ConnectWise has achieved SOC-2 Type 2 certification.
For this specific instance, we have hired GuidePoint Security, LLC, an independent third-party cybersecurity solutions company to assess the findings from Bishop Fox and Huntress Labs, as well as run their own independent vulnerability assessment.
Further information regarding the security of ConnectWise products may also be obtained here:
ConnectWise takes security very seriously. ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. ConnectWise regularly conducts penetration tests that are performed by both internal and external ethical hackers and we run vulnerability assessments on our systems and products on a consistent basis.
We encourage partners and colleagues to contact us at firstname.lastname@example.org with any questions or to report any issues.
Control Cloud partners are automatically updated to the latest stable version of Control. We recommend that on-premises instances remain up to date on support and maintenance.
Six of the eight issues outlined in the report from Bishop Fox have been remediated and they were remediated as of October 2, 2019.
On-premises partners can learn more about upgrading here:
Upgrade an On-Premises Installation of ConnectWise Control >>
Cloud partners can learn more here:
Upgrade A Cloud Instance of ConnectWise Control >>
ConnectWise previously remediated most of the items suggested by Bishop Fox. Within the next two weeks we will resolve one item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
The ConnectWise Control team investigates all potential security threats, regardless of severity. Issues that are low in priority sometimes are also low in effort to remediate and, in those cases, we may quickly release a fix.
The Bishop Fox attack-chain references a theoretical cloud-based execution.
The ConnectWise platform is an integral part of your operations and is a gateway to your clients’ sensitive business-critical data. Increasing our security measures and reducing vulnerabilities across the platform is a top priority for our entire organization to gain your confidence as your trusted vendor.
Your confidence in our ability to test and maintain a secure platform is essential to our partnership with you.
ConnectWise is routinely and thoroughly audited by independent third-party organizations and government agencies to ensure our products and practices comply with global and regional regulations and standards.
As a reflection of our commitment to cybersecurity, ConnectWise recently passed an independent SOC 2 Type 2 audit for the benefit of all current and prospective Partners.
The intent of the SOC 2 audit is to assess and address the risks associated with using an outsourced service like ConnectWise, allowing you, our users, to have trust and confidence in us and manage the risk associated with our products. The reports provide assurance of the design and operating effectiveness of our control environment as they are the result of comprehensive, independent audits.
The ConnectWise SOC 2 Type 2 reports cover the Security, Availability, and Confidentiality principles of the AICPA Trust Services Criteria (TSC) for ConnectWise Manage®, ConnectWise Automate®, ConnectWise Sell®, and ConnectWise Control®.
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the entity’s objectives.
Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.
To request a copy of our SOC2, send email to email@example.com. Please indicate the relevant product(s) in your request.
You trust us with your data, and we’re committed to keeping it safe. ConnectWise adheres to strict industry privacy standards and complies with new privacy standards and mandates as they progress.