-
- Select Your Region
- Region Name 1
- Region Name 2
- Region Name 3
- Region Name 4
- Region Name 5
menu
- Business Management
- Unified Management
- Security Management
- Expert Services
Summary:
Vulnerability Details:
Control: CWE-287 - Improper Authentication
Description:
Severity
Critical: Vulnerabilities that could allow the ability to execute remote code or directly access confidential data
Priority
1 - Vulnerabilities that have higher risk of being targeted in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days)
Remediation:
Fixes available for 19.2 and higher stable versions
Partners currently using any version prior to 2019.2 are strongly encouraged to update their systems immediately to ensure that all known security vulnerabilities are patched.
CLOUD:
No action needed. Cloud instances have been automatically updated.
ON-PREMISE:
For Control standalone partners, please note there are some actions you need to take in order to apply this update:
To check if a new build has been released for your Control installation:
1. Navigate to your Administration/License page.
2. Expand the Version Check box.
3. If the Version Check displays a warning, verify that your current version is at least 19.2.
- If you are on 19.2 or a more recent version, you must install the latest build for your current version to receive the latest security updates.
- If you are on 19.1 or an earlier version, your license is out of maintenance. You must upgrade your license before installing the latest supported release of Control.
4. Visit our Download page. Download the same major version as your current installation.
5. Back up your installation and install the new build by following the on-premises upgrade instructions.
For Automate partners with the Control plugin, to check if a new build has been released for your Control installation visit: Upgrading ConnectWise Control via the Plugin.
Additional Info
ConnectWise Control Improper Authentication
Software Updates
Latest Stable: https://www.connectwise.com/software/control/download
V19.2 - v20.8: https://www.connectwise.com/software/control/download-archive
Summary:
A vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to execute arbitrary SQL statements against an individual Automate instance. This affects on-premise and cloud based versions of the product.
Vulnerability Details:
CVSS Score: 7.9
CWE: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description:
Inadequate server-side validation within the probe implementation could potentially allow arbitrary statements to be executed.
Remediation:
CLOUD PARTNERS:
- ConnectWise has applied the 2020.0.7.251 patch across all cloud partner environments.
ON-PREMISE PARTNERS:
- On-premise partners should immediately apply the patches listed below, following the important pre and post patch instructions available in the ConnectWise University here. The download link is available in the instruction page.
ConnectWise Automate 2020.0.7.251
ConnectWise Automate 2019.0.12.342
Summary:
A vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product.
Vulnerability Details:
CVSS Score: 9.2
CWE: 693 – Protection Mechanism Failure
Description:
Inadequate validation of the computer password could potentially allow a remote user to bypass agent authentication in probe communication or agent registration. Subsequently, this could facilitate further exploitation should other vulnerabilities exist.
Remediation:
CLOUD PARTNERS:
- ConnectWise has applied the 2020.0.7.251 patch across all cloud partner environments.
ON-PREMISE PARTNERS:
- On-premise partners should immediately apply the patches listed below, following the important pre and post patch instructions available in the ConnectWise University here. The download link is available in the instruction page.
ConnectWise Automate 2020.0.7.251
ConnectWise Automate 2019.0.12.342
Summary:
Several reports have been received that a number of partners have received phishing emails purporting to take the partner to a fake Control login page and asking for credentials.
Vulnerability Details:
CVSS Score: N/A
Description:
Phishing emails purporting to be ConnectWise Control have been sent to some partners in an attempt to spoof the Control login page and harvest user credentials.
Remediation:
This issue and a corresponding takedown request have been raised with Google who is the hosting provider for the fake url.
Workarounds and Mitigations:
Please validate the URL of any email received from a ConnectWise sender. Please do not click on any unknown links. Please report to your own internal IT/Security team if you have accessed a link similar to this and/or provided credentials.
The attached pictures below highlight what the phishing attempt looks like.
So far, we have verified three fake urls that are the originating domain for the phishing mails but want to stress that there could be additional yet unreported:
ivkpkt.connectwises.org
74gb.connectwises.org
g0vd.connectwises.org
The phishing email link if clicked will take the user to the following fake url:
cloud.screenconnecte.com/#/
Summary:
ConnectWise is aware of a vulnerability in the New Customer Portal that could potentially allow a remote user to execute modifications within an individual environment. This issue was responsibly disclosed by trusted advisors. There have been no reports of exploitation.
Vulnerability Details:
CVSS Score: 8.4
Description:
A remote user could abuse the account registration process to impersonate a legitimate user and act with their assigned privileges.
Remediation:
Connectwise has remediated the issue in all environments.
As an additional precaution, all ConnectWise SSO accounts will be required to re-validate their registered email addresses.
Summary:
ConnectWise is aware of a vulnerability in the New Customer Portal that could potentially allow an authenticated user access to that individual Administrative portal tenant. This issue was discovered internally. There has been no indication of exploitation.
Vulnerability Details:
CVSS Score: 6.8
Description:
An authenticated user could potentially forge an authorization header required to access the Admin Portal with the ability to modify to the Customer Portal configuration settings as a Portal Administrator.
Remediation:
ConnectWise has remediated the issue in all environments.
No further action is required.
Summary:
This is an update to our previous message noting the hotfix application to address the security vulnerability issue that was communicated on June 12, 2020 and June 10, 2020. ConnectWise identified a need for additional hardening measures to be applied to the hotfixes and these new hotfixes are now available.
Vulnerability Details:
CVSS Score: 7.8
Description:
A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.
Remediation:
CLOUD PARTNERS:
- ConnectWise re-applied mitigation steps related to deployment of agent installations to address additional hardening measures and we have applied the updated hotfix – 2020.5.178 – which includes the additional hardening measures.
- With this hotfix, the mitigation that interrupted deployment features were removed.
ON-PREMISE PARTNERS:
- On-premise partners should immediately apply the hotfix listed below based on their instance version.
- 2020.5.178 is available here or the .exe file is here.
- 2020.4.143 is available here or the .exe file is here.
- 2020.3.114 is available here or the .exe file is here.
- 2020.2.85 is available here or the .exe file is here.
- 2020.1.53 is available here or the .exe file is here.
- 2019.12.337 is available here or the .exe file is here.
- 2019.11 or older partners, please ensure you have implemented the mitigation steps described here and we strongly encourage that you update to 2019.12 at a minimum.
Summary:
This is an update to our previous message noting the hotfix application to address the security vulnerability issue that was communicated on June 10, 2020. ConnectWise has identified a need for additional hardening measures to be applied to the hotfixes and are currently working to update the fixes accordingly. Updates are expected later today, but we recommend all Automate partners take the following actions listed below.
Vulnerability Details:
CVSS Score: 7.8
Description:
A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.
Remediation:
CLOUD PARTNERS:
- ConnectWise has re-applied mitigation steps related to deployment of agent installations to address additional hardening measures that will be applied later today via a new hotfix or patch for partners.
ON-PREMISE PARTNERS:
- 2020.5-2020.1 Partners, please apply the currently available hotfix, linked below based on your version, and then re-implement the mitigation steps described here.
- 2020.5.176 is available here or the .exe file is here.
- 2020.4.142 is available here or the .exe file is here.
- 2020.3.113 is available here or the .exe file is here.
- 2020.2.84 is available here or the .exe file is here.
- 2020.1.52 is available here or the .exe file is here.
- 2019.12 and prior partners, please implement or ensure you have implemented the mitigation steps described here. A hotfix for current version 2019.12 and a patch for prior versions is being made available soon.
Summary:
ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product.
Vulnerability Details:
CVSS Score: 7.8
Description:
A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.
Remediation:
CLOUD PARTNERS:
- ConnectWise had applied mitigating controls to block any potential exploitation and has applied the hotfix across all environments as of 8:45 pm Eastern Time, June 10, 2020.
ON-PREMISE PARTNERS:
- On-premise partners should immediately consider the mitigating controls detailed here.
- Hotfix for version 2020.5 is available here and the .exe file is here.
- Hotfix for version 2020.4 is available here and the .exe file is here.
- Hotfix for version 2020.3 is available here and the .exe file is here.
- Hotfix for version 2020.2 is available here and the .exe file is here.
- Hotfix for version 2020.1 is available here and the .exe file is here.
- Hotfixes for older versions will be available in the coming days.
- On-going updates on these hotfixes are available here.
Summary:
ConnectWise is aware of a vulnerability in a ConnectWise Manage API that could allow a remote unauthenticated user to access information within ConnectWise Manage. This affects on premise and cloud based versions of the product.
Vulnerability Details:
CVSS Score: 5.3
Description:
A specifically crafted API query from an unauthenticated user could return internal configuration information. To use this information further, an authenticated session is required. There are no reports of this vulnerability being exploited in the partner community.
Remediation:
A patch to fix this issue is available in release 2020.2.72499.
