// Overview 

On February 19th, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software. The advisory highlighted two vulnerabilities that impact older versions of  ScreenConnect and have been mitigated in version 23.9.8 and later.

• CVE-2024-1709 (CWE-288)— Authentication Bypass Using Alternate Path or Channel
  • Base CVSS score of 10 (Critical)
• CVE-2024-1708 (CWE-22)— Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
  • Base score of 8.4 (High Priority)

Cloud hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, have already received updates to address these vulnerabilities. Self-hosted (on-premise) instances remain at risk until they are manually upgraded. The ShadowServer project has identified over 3800 vulnerable instances of ScreenConnect or approximately 93 percent of the internet exposed install base.

On February 21st, security researchers at watchTowr Labs released a proof of concept (PoC) on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. ConnectWise has also updated their initial report to include observed active exploitation in the wild of these vulnerabilities.

 // What Amaru MDR (Managed Detection Response) is doing 

Amaru MDR is actively tracking the ongoing developments with these ScreenConnect vulnerabilities and their exploitation. The following MDR detection rules were previously implemented to identify malicious abuse of ScreenConnect:

• WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1
• WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1
• WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1

We are continuing to ensure detection coverage, initiating an enterprise-wide threat hunt, and our MDR analysts will promptly reach out if any activity is observed. Additionally, Amaru has deployed the following prevention rule, ATK/SCBypass-A, and is testing a similar network-based (IPS) detection rule.

 // What you should do

• Confirm whether you have an on-premise deployment of ScreenConnect
  • If an on-premise version is present in your environment and is not on 23.9.8 or later, proceed to upgrade to the newest version
  • If an on-premise version is present in your environment and already on 23.9.8 or later, you are not at risk and no further action is necessary
• If not on-premise and cloud hosted, you are not at risk and no further actions are necessary
• If your deployment is managed by a 3rd party vendor, confirm with them they have upgraded their instance to 23.9.8 or later

// References 

Vendor Sources

• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Government Sources

• https://nvd.nist.gov/vuln/detail/CVE-2024-1708
• https://nvd.nist.gov/vuln/detail/CVE-2024-1709

Third Party Sources

• https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
• https://twitter.com/Shadowserver/status/1760229390082847029