VULNERA Pulse

ConnectWise — ScreenConnect

CVE-2024-1709 / Added: Feb. 22, 2024

CRITICAL CVSS 10.00 EPSS Score 93.46 EPSS Percentile 99.02

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.

Headlines

• Feb. 23, 2024 - ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
• Feb. 23, 2024 - ConnectWise ScreenConnect attacks deliver malware
• Feb. 23, 2024 - CISA orders to fix ConnectWise ScreenConnect bug in a week
• Feb. 22, 2024 - ScreenConnect servers hacked in LockBit ransomware attacks
• Feb. 22, 2024 - New ScreenConnect RCE flaw exploited in ransomware attacks
• Feb. 22, 2024 - Multiple Vulnerabilities in ConnectWise ScreenConnect Could Allow for Remote Code Execution
• Feb. 22, 2024 - Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)
• Feb. 22, 2024 - Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited
• Feb. 22, 2024 - CVE-2024-1709 & 1708: ScreenConnect Vulnerabilities Under Active Attack
• Feb. 22, 2024 - ConnectWise patches critical ScreenConnect vulnerability
• Feb. 21, 2024 - ScreenConnect critical bug now under attack as exploit code emerges

Back to top ↑

CVE-2024-1709

CRITICAL CVSS 10.00 EPSS Score 93.46 EPSS Percentile 99.02

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Feb. 21, 2024

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Vendor Impacted: Connectwise

Product Impacted: Screenconnect

Quotes

• The ‘exploit’ is trivial and embarrassingly easy
• Upwards of ten thousand servers that control hundreds of thousands of endpoints
• Partners that are self-hosted or on-premises need to update their servers to version 23.9.8 immediately to apply a patch
• Allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server
• Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems
• In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)
• In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)
• On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool

Headlines

• Feb. 23, 2024 - ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
• Feb. 23, 2024 - ConnectWise ScreenConnect attacks deliver malware
• Feb. 23, 2024 - CISA orders to fix ConnectWise ScreenConnect bug in a week
• Feb. 22, 2024 - ScreenConnect servers hacked in LockBit ransomware attacks
• Feb. 22, 2024 - New ScreenConnect RCE flaw exploited in ransomware attacks
• Feb. 22, 2024 - Multiple Vulnerabilities in ConnectWise ScreenConnect Could Allow for Remote Code Execution
• Feb. 22, 2024 - Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)
• Feb. 22, 2024 - Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited
• Feb. 22, 2024 - CVE-2024-1709 & 1708: ScreenConnect Vulnerabilities Under Active Attack
• Feb. 22, 2024 - ConnectWise patches critical ScreenConnect vulnerability
• Feb. 21, 2024 - ScreenConnect critical bug now under attack as exploit code emerges

CVE-2023-3824

CRITICAL CVSS 9.80 EPSS Score 0.08 EPSS Percentile 33.54

Actively Exploited Remote Code Execution Used In Ransomware

Published: Aug. 11, 2023

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 

Vendors Impacted: Php, Fedoraproject, Debian

Products Impacted: Php, Fedora, Debian Linux

Quotes

• Our work does not stop here
• It's likely too early to say
• Lockbitsupp [sic] and its flawed infrastructure
• The site is now under the control of law enforcement
• You can thank Lockbitsupp and their flawed infrastructure for this situation … we may be in touch with you very soon
• We can confirm that LockBit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation
• This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’
• And froze 200 cryptocurrency accounts linked to LockBit and its affiliates. LockBit’s bespoke data exfiltration tool, known as Stealbit, was also seized. Security researchers Vx-underground also claimed that at least 22 Tor sites associated with LockBit had been seized and/or taken down by law enforcement. In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and US judicial authorities. 🔒 Operation Cronos 🔒- 34 servers seized.- 2 LockBit actors arrested.- 3 arrest warrants issued.- 5 indictments issued.- 200 cryptocurrency accounts frozen.- 14,000

Headlines

• Feb. 22, 2024 - Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit
• Feb. 21, 2024 - LockBit: Lessons learned on winning the war on cybercrime
• Feb. 20, 2024 - Police turn LockBit ops site against them
• Feb. 20, 2024 - LockBit Ransomware Takedown: What You Need to Know about Operation Cro
• Feb. 20, 2024 - Global Law Enforcement Disrupts LockBit Ransomware Gang
• Feb. 20, 2024 - Law Enforcement Hacks LockBit Ransomware, Delivers Major Blow to Operation
• Feb. 20, 2024 - LockBit disrupted by international law enforcement task force
• Feb. 20, 2024 - Lockbit Infrastructure Disrupted by Global Law Enforcers
• Feb. 20, 2024 - LockBit Ransomware's Darknet Domains Seized in Global Law Enforcement Raid

CVE-2024-22245

CRITICAL CVSS 9.60 EPSS Score 0.04 EPSS Percentile 6.82

Risk Context N/A

Published: Feb. 20, 2024

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

Quotes

• To relay Kerberos service tickets and seize control of privileged EAP sessions
• Local users to request Kerberos tickets from other users during authentication to the VMware vSphere web console
• Closes important gaps from functional perspective, by finally providing the capability to convert KVM-based workloads
• Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware
• A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)

Headlines

• Feb. 21, 2024 - Critical Vulnerability in VMware vSphere Plug-in Allows Session Hijacking
• Feb. 21, 2024 - VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250)
• Feb. 21, 2024 - Critical flaw found in deprecated VMware EAP. Uninstall it now
• Feb. 21, 2024 - VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk
• Feb. 21, 2024 - CVE-2024-22245 & 22250: VMware Vulnerabilities Demand Immediate Action
• Feb. 21, 2024 - VMware client plug-in has critical vulnerability
• Feb. 21, 2024 - VMware takes a swing at Nutanix, Red Hat with VM converter
• Feb. 20, 2024 - VMware urges admins to remove deprecated, vulnerable auth plug-in

CVE-2021-25646

HIGH CVSS 8.80 EPSS Score 97.30 EPSS Percentile 99.85

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 29, 2021

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Vendor Impacted: Apache

Product Impacted: Druid

Quotes

• Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms

Headlines

• Feb. 22, 2024 - Lucifer Botnet Exploits Apache Hadoop & Druid (CVE-2021-25646) for Cryptomining
• Feb. 21, 2024 - 'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers

CVE-2024-1708

HIGH CVSS 8.40 EPSS Score 0.05 EPSS Percentile 15.81

Risk Context N/A

Published: Feb. 21, 2024

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Vendor Impacted: Connectwise

Product Impacted: Screenconnect

Quotes

• The ‘exploit’ is trivial and embarrassingly easy
• Upwards of ten thousand servers that control hundreds of thousands of endpoints
• Partners that are self-hosted or on-premises need to update their servers to version 23.9.8 immediately to apply a patch
• Allows an attacker to create their own administrative user on the ScreenConnect server, giving them full control over the server
• In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)
• In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)
• On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool

Headlines

• Feb. 23, 2024 - ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
• Feb. 23, 2024 - CISA orders to fix ConnectWise ScreenConnect bug in a week
• Feb. 22, 2024 - New ScreenConnect RCE flaw exploited in ransomware attacks
• Feb. 22, 2024 - ScreenConnect servers hacked in LockBit ransomware attacks
• Feb. 22, 2024 - Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)
• Feb. 22, 2024 - Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited
• Feb. 22, 2024 - ConnectWise patches critical ScreenConnect vulnerability
• Feb. 21, 2024 - ScreenConnect critical bug now under attack as exploit code emerges

CVE-2024-22250

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 6.82

Risk Context N/A

Published: Feb. 20, 2024

Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

Quotes

• To relay Kerberos service tickets and seize control of privileged EAP sessions
• Local users to request Kerberos tickets from other users during authentication to the VMware vSphere web console
• Closes important gaps from functional perspective, by finally providing the capability to convert KVM-based workloads
• Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware
• A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)

Headlines

• Feb. 21, 2024 - Critical Vulnerability in VMware vSphere Plug-in Allows Session Hijacking
• Feb. 21, 2024 - VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250)
• Feb. 21, 2024 - Critical flaw found in deprecated VMware EAP. Uninstall it now
• Feb. 21, 2024 - VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk
• Feb. 21, 2024 - CVE-2024-22245 & 22250: VMware Vulnerabilities Demand Immediate Action
• Feb. 21, 2024 - VMware client plug-in has critical vulnerability
• Feb. 21, 2024 - VMware takes a swing at Nutanix, Red Hat with VM converter
• Feb. 20, 2024 - VMware urges admins to remove deprecated, vulnerable auth plug-in

CVE-2023-50387

HIGH CVSS 7.50 EPSS Score 3.81 EPSS Percentile 91.59

Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 14, 2024

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Vendors Impacted: Powerdns, Microsoft, Thekelleys, Nlnetlabs, Nic, Isc, Fedoraproject, Redhat

Products Impacted: Fedora, Knot Resolver, Bind, Enterprise Linux, Windows Server 2008, Windows Server 2016, Windows Server 2022 23h2, Windows Server 2022, Windows Server 2012, Unbound, Dnsmasq, Recursor, Windows Server 2019

Quotes

• The worst attack on DNS ever discovered
• Exploitation of this attack would have severe consequences for any application using the Internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging
• The researchers worked with all relevant vendors and major public DNS providers over several months, resulting in a number of vendor-specific patches, the last ones published on Tuesday, Feb. 13

Headlines

• Feb. 20, 2024 - 'KeyTrap' DNS Bug Threatens Widespread Internet Outages
• Feb. 19, 2024 - "KeyTrap" (CVE-2023-50387) Flaw Leaves DNS Systems Vulnerable, PoC Published
• Feb. 19, 2024 - KeyTrap attack can take out a DNS server
• Feb. 17, 2024 - KeyTrap attack: Internet access disrupted with one DNS packet

CVE-2024-23204

HIGH CVSS 7.50 EPSS Score 0.07 EPSS Percentile 28.25

Remote Code Execution

Published: Jan. 23, 2024

The issue was addressed with additional permissions checks. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, iOS 17.3 and iPadOS 17.3. A shortcut may be able to use sensitive data with certain actions without prompting the user.

Vendor Impacted: Apple

Products Impacted: Ipados, Macos, Iphone Os, Watchos

Quotes

• A shortcut may be able to use sensitive data with certain actions without prompting the user
• With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms

Headlines

• Feb. 23, 2024 - Researchers Detail Apple's Recent Zero-Click Shortcuts Vulnerability
• Feb. 23, 2024 - Apple Shortcuts Vulnerability (CVE-2024-23204): Technical Analysis and Mitigation
• Feb. 22, 2024 - Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft