{"id":417,"date":"2024-04-17T21:12:52","date_gmt":"2024-04-17T21:12:52","guid":{"rendered":"https:\/\/amaru.co.nz\/fj\/?post_type=threat-intelligence&#038;p=417"},"modified":"2024-04-23T16:18:57","modified_gmt":"2024-04-23T16:18:57","slug":"security-advisory-critical-vulnerability-being-exploited-in-screenconnect","status":"publish","type":"threat-intelligence","link":"https:\/\/amaru.co.nz\/fj\/blog\/threat-intelligence\/security-advisory-critical-vulnerability-being-exploited-in-screenconnect\/","title":{"rendered":"[Security Advisory]\u202f Critical Vulnerability Being Exploited In ScreenConnect"},"content":{"rendered":"<p><strong>\/\/ Overview\u202f<\/strong><\/p>\n<p>On February 19th, 2024, ConnectWise released a security advisory for its remote monitoring and management (RMM) software. The advisory highlighted two vulnerabilities that impact older versions of \u00a0ScreenConnect and have been\u00a0<strong>mitigated in version 23.9.8 and later<\/strong>.<\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li><strong>CVE-2024-1709 (CWE-288)<\/strong>\u2014 Authentication Bypass Using Alternate Path or Channel\n<ul>\n<li>Base CVSS score of 10 (Critical)<\/li>\n<\/ul>\n<\/li>\n<li><strong>CVE-2024-1708 (CWE-22)<\/strong>\u2014 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)\n<ul>\n<li>Base score of 8.4 (High Priority)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Cloud hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, have already received updates to address these vulnerabilities. Self-hosted (on-premise) instances remain at risk until they are manually upgraded. The ShadowServer project has identified over 3800 vulnerable instances of ScreenConnect or approximately 93 percent of the internet exposed install base.<\/p>\n<p>On February 21st, security researchers at watchTowr Labs released a proof of concept (PoC) on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. ConnectWise has also updated their initial report to include observed active exploitation in the wild of these vulnerabilities.<\/p>\n<p><strong>\u202f\/\/ What Amaru MDR (Managed Detection Response) is doing\u202f<\/strong><\/p>\n<p>Amaru MDR is actively tracking the ongoing developments with these ScreenConnect vulnerabilities and their exploitation. The following MDR detection rules were previously implemented to identify malicious abuse of ScreenConnect:<\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li>WIN-EXE-PRC-SCREENCONNECT-COMMAND-EXECUTION-1<\/li>\n<li>WIN-EXE-PRC-SCREENCONNECT-REMOTE-FILE-EXECUTION-1<\/li>\n<li>WIN-EXE-PRC-SCREENCONNECT-RUNFILE-EXECUTION-1<\/li>\n<\/ul>\n<p>We are continuing to ensure detection coverage, initiating an enterprise-wide threat hunt, and our MDR analysts will promptly reach out if any activity is observed. Additionally, Amaru has deployed the following prevention rule,\u00a0<strong>ATK\/SCBypass-A<\/strong>, and is testing a similar network-based (IPS) detection rule.<\/p>\n<p><strong>\u00a0\/\/ What you should do<\/strong><\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li>Confirm whether you have an on-premise deployment of ScreenConnect\n<ul>\n<li>If an on-premise version is present in your environment and is not on 23.9.8 or later, proceed to upgrade to the newest version<\/li>\n<li>If an on-premise version is present in your environment and already on 23.9.8 or later, you are not at risk and no further action is necessary<\/li>\n<\/ul>\n<\/li>\n<li>If not on-premise and cloud hosted, you are not at risk and no further actions are necessary<\/li>\n<li>If your deployment is managed by a 3rd party vendor, confirm with them they have upgraded their instance to 23.9.8 or later<\/li>\n<\/ul>\n<p><strong>\/\/ References\u202f<\/strong><\/p>\n<p>Vendor Sources<\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li><a title=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fwww.connectwise.com%2Fcompany%2Ftrust%2Fsecurity-bulletins%2Fconnectwise-screenconnect-23.9.8\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/k5iA8_g7ODwU3m3tMPf8lI3-EKE=363\" href=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fwww.connectwise.com%2Fcompany%2Ftrust%2Fsecurity-bulletins%2Fconnectwise-screenconnect-23.9.8\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/k5iA8_g7ODwU3m3tMPf8lI3-EKE=363\" data-ogsc=\"rgb(51, 123, 196)\" data-outlook-id=\"5a077563-2cd7-42c5-83a9-927632123f62\">https:\/\/www.connectwise.com\/company\/trust\/security-bulletins\/connectwise-screenconnect-23.9.8<\/a><\/li>\n<\/ul>\n<p>Government Sources<\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li><a title=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-1708\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/BAf5hrxPL2-cJ10_IdEK-gBAHAw=363\" href=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-1708\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/BAf5hrxPL2-cJ10_IdEK-gBAHAw=363\" data-ogsc=\"rgb(51, 123, 196)\" data-outlook-id=\"ca764f79-fc87-456f-983f-c5a6beb6b436\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-1708<\/a><\/li>\n<li><a title=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-1709\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/bKUhX4XHPm7Z3Lmz48p5_czTEE8=363\" href=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-1709\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/bKUhX4XHPm7Z3Lmz48p5_czTEE8=363\" data-ogsc=\"rgb(51, 123, 196)\" data-outlook-id=\"16aae9e4-df77-48f4-b286-437f31dd4c39\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-1709<\/a><\/li>\n<\/ul>\n<p>Third Party Sources<\/p>\n<ul data-ogsc=\"rgb(65, 65, 65)\" data-ogsb=\"rgb(255, 255, 255)\">\n<li><a title=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fgithub.com%2Fwatchtowrlabs%2Fconnectwise-screenconnect_auth-bypass-add-user-poc\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/C5VUCfASAOED3xUjyc6nk4VD7rA=363\" href=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Fgithub.com%2Fwatchtowrlabs%2Fconnectwise-screenconnect_auth-bypass-add-user-poc\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/C5VUCfASAOED3xUjyc6nk4VD7rA=363\" data-ogsc=\"rgb(51, 123, 196)\" data-outlook-id=\"02699b11-789a-463f-b83a-26f2162486ad\">https:\/\/github.com\/watchtowrlabs\/connectwise-screenconnect_auth-bypass-add-user-poc<\/a><\/li>\n<li><a title=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Ftwitter.com%2FShadowserver%2Fstatus%2F1760229390082847029\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/Dej97gbFJQfWl7Pnv_W_dvjtVCs=363\" href=\"https:\/\/vd5djq9e.r.us-west-2.awstrack.me\/L0\/https:%2F%2Ftwitter.com%2FShadowserver%2Fstatus%2F1760229390082847029\/1\/0101018dccedb5a0-05024a05-f6b8-4ca8-bec1-2880e4e63500-000000\/Dej97gbFJQfWl7Pnv_W_dvjtVCs=363\" data-ogsc=\"rgb(51, 123, 196)\" data-outlook-id=\"d9b2820f-670c-4748-b2e6-5afddd8ee840\">https:\/\/twitter.com\/Shadowserver\/status\/1760229390082847029<\/a><\/li>\n<\/ul>\n","protected":false},"featured_media":837,"template":"","class_list":["post-417","threat-intelligence","type-threat-intelligence","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/threat-intelligence\/417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/types\/threat-intelligence"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/media\/837"}],"wp:attachment":[{"href":"https:\/\/amaru.co.nz\/fj\/wp-json\/wp\/v2\/media?parent=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}