Critical ScreenConnect Flaw Under Active Exploitation

Attackers are actively exploiting the critical authentication bypass in the ConnectWise ScreenConnect software disclosed on Monday and there is now proof-of-concept exploit code available for the flaw, as well.

The flaw affects all versions of ScreenConnect below 23.9.8 and researchers who’ve analyzed it found that the bug is quite easy to exploit, and there are reports of confirmed exploitation of vulnerable instances by several research and incident response teams. The Shadowserver Foundation has identified about 3,800 vulnerable instances of ScreenConnect online.

ConnectWise issued an advisory for the authentication bypass vulnerability, along with a path traversal bug, on Monday, but there was very little technical information in it, and for good reason as it turns out.

“There was not much information available as to what these vulnerabilities really consisted of, how they might be taken advantage of, or any other threat intelligence or indicators of compromise to hunt for. Once we recreated the exploit and attack chain, we came to the same conclusion: there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors,” researchers from Huntress wrote in an analysis.

“The ‘exploit’ is trivial and embarrassingly easy.”

ScreenConnect is a remote desktop support and administration application used in a variety of scenarios in enterprises.

The Huntress analysis found that the issue is related to the way the setup wizard for ScreenConnect works. A quirk in the code allows users–or attackers–to gain access to the setup wizard under circumstances that shouldn’t be allowed.

“If the request path does not match “/SetupWizard.aspx,” then the setup wizard will be allowed regardless of the setup state of the instance. This would normally not be exploitable, but .Net has weird functionality that allows URL path components after a mapped legitimate URL to be passed along to the application,” the Huntress analysis says.

“Putting this together, it means we can simply request “/SetupWizard.aspx/literallyanything” and we should be allowed to access the setup wizard on already-configured ScreenConnect instances.”

The setup wizard sets up the administrative user for the software and installing the license key. Once the initial admin user is created, which happens before the license is installed, the attacker has the ability to execute arbitrary code.

“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server,” the analysis says.

ConnectWise updated its advisory on Tuesday to include confirmation of active exploitation, as well as three IP addresses known to have attempted to exploit vulnerable instances. Organizations running vulnerable on-premises instances should upgrade to the fixed version immediately.

Go to Source