ScreenConnect Under Attack Following Disclosure of Critical Bugs

February 21, 2024

Technical details and proof-of-concept exploits for two vulnerabilities in ScreenConnect, a remote desktop and access software by ConnectWise, have been made public. The vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, are an authentication bypass and a path traversal flaw respectively. These flaws impact ScreenConnect servers 23.9.7 and earlier. ConnectWise has urged administrators to update their on-premise servers to version 23.9.8 to mitigate the risk, and has assured that instances on screenconnect.com cloud or hostedrmm.com are secure. Multiple ScreenConnect accounts have been compromised in attacks exploiting these vulnerabilities.

Cybersecurity firm Huntress has analyzed the vulnerabilities and warned that creating an exploit is relatively easy. As of Monday, more than 8,800 vulnerable ScreenConnect servers were exposed, according to the Censys platform. This number had dropped to around 3,800 by the next day, according to The ShadowServer Foundation. The first working exploits appeared shortly after ConnectWise announced the vulnerabilities, and more continue to be published.

Huntress discovered the two flaws by examining the code changes introduced with the patch by ConnectWise. The first flaw, an authentication bypass, was found due to a new check in a text file indicating that the authentication process was not secured against all access paths. This allowed a user to use the setup wizard even when ScreenConnect had already been set up, and create a new administrator account to take control of the ScreenConnect instance.

The second flaw, a path traversal bug, allows access or modification of files outside the intended restricted directory. This flaw was identified by noticing code changes on the 'ScreenConnect.Core.dll' file, which pointed to ZipSlip, a vulnerability that occurs when applications do not properly sanitize the file extraction path, leading to potential overwriting of sensitive files. The updates from ConnectWise introduce stricter path validation when extracting ZIP file contents to prevent file writing outside designated subdirectories within ScreenConnect's folder.

With administrative access gained from the previous exploit, it is possible to access or manipulate the User.xml file and other sensitive files by crafting requests that include directory traversal sequences. The attacker can upload a payload, such as a malicious script or executable, outside the ScreenConnect subdirectory.

Huntress has shared indicators of compromise and analytical detection guidance based on the artifacts created when the above flaws are exploited. Administrators who have not applied the security updates are strongly recommended to use these detections to check for unauthorized access.

Latest News

• CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
• Apple Shortcuts Zero-Click Vulnerability Enables Covert Data Theft
• LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability
• Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks
• VMware Calls for Removal of Outdated, Vulnerable Authentication Plugin