Security bulletins

Vulnerability

CWE-287 - Improper Authentication

Severity

Critical - Vulnerabilities that could allow the ability to remotely execute code or directly access confidential data

Priority 

1 - Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild.  Recommend patching as soon as possible.

Remediation

CLOUD:

No action needed.  Cloud instances have been remediated.

ON-PREMISE:

Apply the 2021.4 release.

Additional Info

https://home.connectwise.com/securityBulletin/606f62ef39917e00016f21cc

Software Updates

Latest Stable:https://university.connectwise.com/University/automateresources/productsandupdates.aspx

Summary:

Vulnerability Details:

The 2021.1 release addresses multiple security issues.  Refer to the Additional Info link below for specifics.

Description:

Severity

Critical: Vulnerabilities that could allow the ability to execute remote code or directly access confidential data.

Priority

1 - Vulnerabilities that are either potentially being targeted or have higher risk of being targeted by exploits in the wild.  Recommend installing updates as emergency changes or as soon as possible (e.g. within days).

Remediation:

CLOUD:

No action needed. Cloud instances have been remediated

ON-PREMISE:

Apply the 2021.1 release.

Additional Info

https://home.connectwise.com/securityBulletin/6009f05c2f4d2700015129d0

Software Updates

https://university.connectwise.com/University/automateresources/productsandupdates.aspx

Summary:

Vulnerability Details:

CWE-20 - Improper Input Validation

Description:

Severity: Important

Vulnerabilities that could compromise confidential data or other processing resources but require additional access / privilege to do so.

Priority: 2

Vulnerabilities that have elevated risk but exploits are neither known nor anticipated to be imminent. Recommend updates within normal change management timelines but no longer than 30 days.

Remediation:

Fixes available in version 20.13

Partners currently using any version 2019.2 to 2020.12 are strongly encouraged to update their systems immediately to ensure that all known security vulnerabilities are patched.

CLOUD:

No action needed. Cloud instances have been remediated.

ON-PREMISE:

Please note there are some actions you need to take in order to apply this update:

To check if a new build has been released for your Control installation:

1. Navigate to your Administration/License page.

2. Expand the Version Check box.

3. If you are on 19.2 or a more recent version, you must install the latest build for your current version to receive the latest security updates.
o If you are on 19.1 or an earlier version, your license is out of maintenance. You must upgrade your license before installing the latest supported release of Control.

4. Visit our Download page. Download the same major version as your current installation.

5. Follow these steps to upgrade: https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Get_started_with_ConnectWise_Control_On-Premise/Upgrade_an_on-premises_installation

Additional Info

https://home.connectwise.com/securityBulletin/5fd926ad6671e30001a9a7bb

Software Updates

Latest Stable: https://www.connectwise.com/platform/unified-management/control/download

Summary:

Vulnerability Details:

In light of the upcoming elections and recent cyber-attacks on health care systems, there have been reported increases in cyber-attacks on MSPs with attackers seeking to obtain MSP credentials to ConnectWise and competitive products by exploiting weaknesses in MSP’s security protocols and infrastructures.

We are aware of active threats using attack methods to compromise credentials and, as always, the safety and security of our partners is of the highest priority. We are issuing this public service announcement to encourage our partners, and all MSPs in our industry, to review their systems for the following to best ensure the security of their data and the data of their end customers:

General Security Best Practices

• Review the running processes on all Domain Controllers to ensure that no unexpected processes are running. Attackers are using PowerShell scripts on Domain Controllers with the flag "--hidden" in order to avoid detection by the MSP.

• Enable two-factor authentication (2FA/MFA) on all accounts to include email accounts.

• Check for the presence of the tools Cobalt Strike and Mimikatz. These tools are being utilized by ransomware actors to harvest credentials and gain a persistence on a network.

• If unusual PowerShell activity has been observed or unexpected tools installed, it is critical that all user passwords are reset after the successful removal of the tools.

• If possible, block all traffic to pastebin.com as it is a known site for malware.

Select Security Best Practices & Tips for ConnectWise Products

• In addition to MFA, we recommend restricting access to admin pages by IP, employing complex passwords and changing them regularly, and conducting regular account audits.

• Block access to RDP and similar remote access services from the Internet.

• For our ConnectWise Control partners, regularly audit the Toolbox directory to ensure there are no unexpected files within "C:\Program Files (x86)\ScreenConnect\App_Data\Toolbox".

For more tips and specific guidance on Security practices for MSPs, please visit the Security Journey on the ConnectWise University

We strongly encourage our partners and all MSP’s to review their security measures and implement the suggestions above. We also suggest that you regularly visit our Trust Site for more information and the latest updates to regularly stay current on the latest MSP security information.

Thank you for your time and attention to this important matter.

Stay safe,
ConnectWise InfoSec Team

Description:

Remediation:

Summary:

Vulnerability Details:

Control: CWE-287 - Improper Authentication

Description:

Severity

Critical: Vulnerabilities that could allow the ability to execute remote code or directly access confidential data

Priority

1 - Vulnerabilities that have higher risk of being targeted in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g. within days)

Remediation:

Fixes available for 19.2 and higher stable versions

Partners currently using any version prior to 2019.2 are strongly encouraged to update their systems immediately to ensure that all known security vulnerabilities are patched.

CLOUD:

No action needed. Cloud instances have been automatically updated.

ON-PREMISE:

For Control standalone partners, please note there are some actions you need to take in order to apply this update:

To check if a new build has been released for your Control installation:

1. Navigate to your Administration/License page.
2. Expand the Version Check box.
3. If the Version Check displays a warning, verify that your current version is at least 19.2.
   • If you are on 19.2 or a more recent version, you must install the latest build for your current version to receive the latest security updates.
   • If you are on 19.1 or an earlier version, your license is out of maintenance. You must upgrade your license before installing the latest supported release of Control.
4. Visit our Download page. Download the same major version as your current installation.
5. Back up your installation and install the new build by following the on-premises upgrade instructions.

For Automate partners with the Control plugin, to check if a new build has been released for your Control installation visit: Upgrading ConnectWise Control via the Plugin.

Additional Info

ConnectWise Control Improper Authentication

Software Updates

Latest Stable: https://www.connectwise.com/software/control/download

V19.2 - v20.8: https://www.connectwise.com/software/control/download-archive

Summary:

A vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to execute arbitrary SQL statements against an individual Automate instance. This affects on-premise and cloud based versions of the product.

Vulnerability Details:

CVSS Score: 7.9

CWE: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description:

Inadequate server-side validation within the probe implementation could potentially allow arbitrary statements to be executed.

Remediation:

CLOUD PARTNERS:

• ConnectWise has applied the 2020.0.7.251 patch across all cloud partner environments.

ON-PREMISE PARTNERS:

• On-premise partners should immediately apply the patches listed below, following the important pre and post patch instructions available in the ConnectWise University here. The download link is available in the instruction page.

ConnectWise Automate 2020.0.7.251

ConnectWise Automate 2019.0.12.342

Summary:

A vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product.

Vulnerability Details:

CVSS Score: 9.2

CWE: 693 – Protection Mechanism Failure

Description:

Inadequate validation of the computer password could potentially allow a remote user to bypass agent authentication in probe communication or agent registration. Subsequently, this could facilitate further exploitation should other vulnerabilities exist.

Remediation:

CLOUD PARTNERS:

• ConnectWise has applied the 2020.0.7.251 patch across all cloud partner environments.

ON-PREMISE PARTNERS:

• On-premise partners should immediately apply the patches listed below, following the important pre and post patch instructions available in the ConnectWise University here. The download link is available in the instruction page.

ConnectWise Automate 2020.0.7.251

ConnectWise Automate 2019.0.12.342

Summary:

Several reports have been received that a number of partners have received phishing emails purporting to take the partner to a fake Control login page and asking for credentials.

Vulnerability Details:

CVSS Score: N/A

Description:

Phishing emails purporting to be ConnectWise Control have been sent to some partners in an attempt to spoof the Control login page and harvest user credentials.

Remediation:

This issue and a corresponding takedown request have been raised with Google who is the hosting provider for the fake url.

Workarounds and Mitigations:

Please validate the URL of any email received from a ConnectWise sender. Please do not click on any unknown links. Please report to your own internal IT/Security team if you have accessed a link similar to this and/or provided credentials.
The attached pictures below highlight what the phishing attempt looks like.

So far, we have verified three fake urls that are the originating domain for the phishing mails but want to stress that there could be additional yet unreported:

ivkpkt.connectwises.org

74gb.connectwises.org

g0vd.connectwises.org

The phishing email link if clicked will take the user to the following fake url:

cloud.screenconnecte.com/#/

Summary:

ConnectWise is aware of a vulnerability in the New Customer Portal that could potentially allow a remote user to execute modifications within an individual environment. This issue was responsibly disclosed by trusted advisors. There have been no reports of exploitation.

Vulnerability Details:

CVSS Score: 8.4

Description:

A remote user could abuse the account registration process to impersonate a legitimate user and act with their assigned privileges.

Remediation:

Connectwise has remediated the issue in all environments.

As an additional precaution, all ConnectWise SSO accounts will be required to re-validate their registered email addresses.

Summary:

ConnectWise is aware of a vulnerability in the New Customer Portal that could potentially allow an authenticated user access to that individual Administrative portal tenant. This issue was discovered internally. There has been no indication of exploitation.

Vulnerability Details:

CVSS Score: 6.8

Description:

An authenticated user could potentially forge an authorization header required to access the Admin Portal with the ability to modify to the Customer Portal configuration settings as a Portal Administrator.

Remediation:

ConnectWise has remediated the issue in all environments.

No further action is required.

Summary:

This is an update to our previous message noting the hotfix application to address the security vulnerability issue that was communicated on June 12, 2020 and June 10, 2020. ConnectWise identified a need for additional hardening measures to be applied to the hotfixes and these new hotfixes are now available.

Vulnerability Details:

CVSS Score: 7.8

Description:

A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.

Remediation:

CLOUD PARTNERS:

• ConnectWise re-applied mitigation steps related to deployment of agent installations to address additional hardening measures and we have applied the updated hotfix – 2020.5.178 – which includes the additional hardening measures.
• With this hotfix, the mitigation that interrupted deployment features were removed.

ON-PREMISE PARTNERS:

• On-premise partners should immediately apply the hotfix listed below based on their instance version.
  • 2020.5.178 is available here or the .exe file is here.
  • 2020.4.143 is available here or the .exe file is here.
  • 2020.3.114 is available here or the .exe file is here.
  • 2020.2.85 is available here or the .exe file is here.
  • 2020.1.53 is available here or the .exe file is here.
  • 2019.12.337 is available here or the .exe file is here.
• 2019.11 or older partners, please ensure you have implemented the mitigation steps described here and we strongly encourage that you update to 2019.12 at a minimum.

Summary:

This is an update to our previous message noting the hotfix application to address the security vulnerability issue that was communicated on June 10, 2020. ConnectWise has identified a need for additional hardening measures to be applied to the hotfixes and are currently working to update the fixes accordingly. Updates are expected later today, but we recommend all Automate partners take the following actions listed below.

Vulnerability Details:

CVSS Score: 7.8

Description:

A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.

Remediation:

CLOUD PARTNERS:

• ConnectWise has re-applied mitigation steps related to deployment of agent installations to address additional hardening measures that will be applied later today via a new hotfix or patch for partners.

ON-PREMISE PARTNERS:

• 2020.5-2020.1 Partners, please apply the currently available hotfix, linked below based on your version, and then re-implement the mitigation steps described here.
  • 2020.5.176 is available here or the .exe file is here.
  • 2020.4.142 is available here or the .exe file is here.
  • 2020.3.113 is available here or the .exe file is here.
  • 2020.2.84 is available here or the .exe file is here.
  • 2020.1.52 is available here or the .exe file is here.

• 2019.12 and prior partners, please implement or ensure you have implemented the mitigation steps described here. A hotfix for current version 2019.12 and a patch for prior versions is being made available soon.

Summary:

ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product.

Vulnerability Details:

CVSS Score: 7.8

Description:

A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.

Remediation:

CLOUD PARTNERS:

• ConnectWise had applied mitigating controls to block any potential exploitation and has applied the hotfix across all environments as of 8:45 pm Eastern Time, June 10, 2020.

ON-PREMISE PARTNERS:

• On-premise partners should immediately consider the mitigating controls detailed here.
• Hotfix for version 2020.5 is available here and the .exe file is here.
• Hotfix for version 2020.4 is available here and the .exe file is here.
• Hotfix for version 2020.3 is available here and the .exe file is here.
• Hotfix for version 2020.2 is available here and the .exe file is here.
• Hotfix for version 2020.1 is available here and the .exe file is here.
• Hotfixes for older versions will be available in the coming days.
• On-going updates on these hotfixes are available here.