Stay secure over the holidays with the ThreatLocker Lights-Out Checklist
Back to Blogs Back to Press Releases
ThreatLocker blog header image of Connectwise Screenconnect Vulnerability

More On ConnectWise ScreenConnect Vulnerability

Table of Contents

ConnectWise ScreenConnect Vulnerability Update

The vulnerability in ConnectWise ScreenConnect is now being actively exploited in the wild, with various proof-of-concept (PoC) exploits shared on GitHub. These exploits demonstrate how attackers can leverage the identified security flaws to gain unauthorized access to vulnerable systems, particularly through authentication bypass and path traversal vulnerabilities.

ConnectWise released a security update that addressed two critical security vulnerabilities in its ScreenConnect remote desktop and access software. These vulnerabilities pose significant risks, including the ability to execute remote code execution and unauthorized data access.

Authentication Bypass (CVE-2024-1709)

This vulnerability enables attackers to bypass authentication mechanisms, potentially allowing them to gain unauthorized access to confidential data or execute arbitrary code on vulnerable servers. Its critical severity stems from the potential for exploitation and its impact on affected systems.

Path Traversal (CVE-2024-1708)

The Path Traversal vulnerability involves improper limitation of a pathname to a restricted directory, known as "path traversal." Attackers with elevated privileges can exploit this flaw to access files and directories beyond the intended directory structure, risking unauthorized disclosure of sensitive information or further system compromise.

Check out our previous blog post on the ConnectWise ScreenConnect Vulnerability Report for more information on this type of attack.

Attack-In-Depth

Accessing the Setup Wizard

Upon successful exploitation, the attacker gains access to the Setup Wizard functionality within ConnectWise ScreenConnect. This allows them to input new credentials, potentially granting them unauthorized access to the system.

Exploiting Extension ZipSlip Vulnerability

Due to a ZipSlip vulnerability in how ScreenConnect opens zip files containing extensions, an attacker can hide C# executable code within the zip that will be run by the server itself. Since the ScreenConnect server is normally run with 'NT Authority\SYSTEM', this would give any attacker the highest level of privileges on any system that this exploit can work on.

Accessibility

Proofs of concept for the exploit are already available in the wild. There is even a Metasploit module being developed that only requires the URL to the ScreenConnect server to run. With Metasploit being one of the easiest ways for new hackers to break into systems, this means that a large scope of people can potentially exploit this system.

Impact and Risks

This exploit comes with critical impact and risk. At best, the low-complexity attack can provide an attacker with an admin user on ScreenConnect. At worst, it can give them complete control over the server.

POC

The ThreatLocker Ops team has replicated this attack.

ConnectWise ScreenConnect Vulnerability Update

Disclaimer: This module is not yet officially posted to Metasploit it is still pending deployment on github.

Demonstration Timestamps:

0:00:05 – Lunching Metasploit (msfconsole)

0:00:20 – Selecting Module

0:00:22 – Enumerating Options to set up exploit

0:00:35 – Finished Configurating payload options

0:00:37 – Running a Vulnerability Check

0:00:56 - Executing Payload

0:01:08 – Running “whoami” command to show proof-of-concept

00:01:23 - ThreatLocker Ops Alert Triggered

How ThreatLocker Keeps You Safe

ThreatLocker Ops

We have leveraged the power of Threatlocker Ops to automatically alert our customers if there are any signs of compromise in their environments. If you are using ThreatLocker Ops, you can add the Policy titled “TL.AAL.005 - ScreenConnect Authentication Bypass“ from the Community Page.

Allowlisting

Allowlisting ensures that only approved binaries can run on the system, enforcing a zero trust approach. This measure automatically prevents unauthorized execution of malicious code, enhancing environment security.

Take control of your organization's security

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker