ScreenConnect Critical Bug Now Under Attack as Exploit Code Emerges

Technical details and proof-of-concept exploits are available for two vulnerabilities in ConnectWise ScreenConnect. A day after the vendor published the security issues, attackers started leveraging them in attacks.

CVE-2024-1708 and CVE-2024-1709 have been assigned as the identifiers to the the two security issues, which the vendor assessed as a maximum severity authentication bypass and a high-severity path traversal flaw that impact ScreenConnect servers 23.9.7 and earlier.

In an updated advisory released today, ConnectWise says threat actors have compromised multiple ScreenConnect accounts. Developing an exploit for the vulnerability is a trivial task according to security experts, and it is expected threat actors will continue to capitalize on the vulnerability as organizations work to patch.

Security Officer Comments:
Huntress has tested and validated a working PoC. The company notes that the Censys platform was showing more than 8,800 vulnerable ScreenConnect servers exposed. An assessment from The ShadowServer Foundation noted that yesterday the number was around 3,800. Exploits emerged quickly, soon after ConnectWise announced the two vulnerabilities. Huntress shared detailed analysis on how easy it is to exploit the vulnerabilities, in hopes that organizations would work faster to implement mitigations and remediation.

The flaw is the result of an authentication process that wasn’t secure against all access paths, including the setup wizard, SetupWizard[.]aspx. This allowed specially crafted requests that could allow users to use the setup wizard even when ScreenConnect had already been installed. An adversary could create a new administrator account and use it to take control of the ScreenConnect instance.

“Leveraging the path traversal bug is possible with the help of another specially crafted request that allows accessing or modifying files outside the intended restricted directory. The flaw was located by noticing code changes on the 'ScreenConnect.Core[.]dll' file, pointing to ZipSlip, a vulnerability that occurs when applications don't properly sanitize the file extraction path, which could result in overwriting sensitive files” (Bleeping Computer, 2024).

Updates from ConnectWise introduced stricter path validation when extracting ZIP file contents, specifically to prevent file writing outside designated subdirectories with the ScreenConnect folder. With administrative access from the previous exploit, it is possible to access or manipulate the User[.]xml file and other sensitive files by crafting requests that include directory traversal sequences to navigate the file system beyond the intended limits.

Lastly, attackers can use the exploit to upload a payload, which could be a malicious script or an executable file, outside the ScreenConnect subdirectory.

Suggested Corrections:
ConnectWise urged admins to update on-premise servers to version 23.9.8 immediately to mitigate the risk and clarified that those with instances on screenconnect[.]com cloud or hostedrmm[.]com have been secured.

Admins who haven't applied the security updates are strongly recommended to use the detections to check for unauthorized access.