Advisory: Critical Authentication Bypass in ScreenConnect (CVE-2024-1709 & CVE-2024-1708)
mnemonic has observed multiple instances of ScreenConnect being exploited to deploy ransomware
The vulnerabilities: CVE-2024-1709 & CVE-2024-1708
On February 19th, ConnectWise issued an advisory concerning its widely-used remote desktop solution, ScreenConnect. The platform is used to connect to remote systems to perform maintenance tasks and is widely used by service providers.
The advisory from ConnectWise offered minimal details, presumably due to the significant severity and potential ease of exploitation associated with the vulnerabilities addressed. The vulnerabilities were assigned the following CVE numbers:
-
CVE-2024-1709: CVSS score of 10. This is an authentication bypass vulnerability. It can easily be exploited by browsing to the URL of a built-in Setup Wizard, following by an arbitrary path. Clicking "Next" on the setup wizard provides the option to create a new Admin account. After gaining administrator on the affected system, a malicious ScreenConnect extension can be uploaded to gain Remote Code Execution (RCE).
-
CVE-2024-1708: CVSS score of 8.4. This is a path traversal vulnerability. It can be utilised to write files to a directory outside those intended by the software. This vulnerability requires administrative credentials to exploit. Admin access can be gained through the above authentication bypass vulnerability, however in that scenario Remote Code Execution is already possible without needing to exploit this path traversal vulnerability.
Threat Intelligence assessment
The vulnerabilities pose a high risk to organisations utilising ScreenConnect from ConnectWise due to how trivial the vulnerabilities are to exploit. Exploiting these vulnerabilities could allow threat actors to gain unauthorised access to corporate networks, compromising sensitive data and systems. Proof-of-concept exploit code is publicly available.
mnemonic has first-hand observations of these vulnerabilities being exploited in the wild with attempts to deploy ransomware.
Affected systems
ConnectWise has confirmed that all versions prior to 23.9.8 are affected.
The ScreenConnect application records incoming requests in IIS (Internet Information Server) logs. If the URI section of the log shows any request directed towards SetupWizard.aspx with a following slash (irrespective of the ending of the request URI), it signals potential exploitation and necessitates a forensic investigation.
Timeline
- February 19th: ConnectWise released an advisory on CVE-2024-1709 and CVE-2024-1708, along with a patched version of ScreenConnect (23.9.8).
- February 20th: ConnectWise updated the advisory with some Indicators of Compromise (IOCs).
- February 21st: ConnectWise updated the advisory again and released an improved version of ScreenConnect (23.9.10).
- February 21st: CrowdStrike’s Falcon OverWatch detected multiple threat actors exploiting CVE-2024-1709 at various U.S. entities, performing both automated and manual operations, including reconnaissance, PowerShell file downloads, and creating new admin accounts for persistence.
- February 22nd: mnemonic SOC observed ransomware deployment via compromised ScreenConnect instances.
Recommendations
To mitigate the risks associated with CVE-2024-1709 and CVE-2024-1708, organisations are advised to take the following actions:
- For on-prem deployments, update to version 23.9.8 or newer of ScreenConnect. ConnectWise reports cloud deployments have been patched.
- Disconnect all internet exposed ScreenConnect hosts in your environment as soon as possible if immediate patching is not possible.
- Contact any third-party organisation which is allowed to connect to your organisation via ScreenConnect and make sure they are on top of the situation. Consider if the connections can be blocked until you have a full overview over the situation.