New ConnectWise Scr...
Clear all

New ConnectWise ScreenConnect Vulnerabilities CVE-2024-1708 and CVE-2024-1709

1 Posts
1 Users
Brandon Lee
Posts: 537
Member Admin
Topic starter

Two recent vulnerabilities have been identified in ConnectWise ScreenConnect, a widely used remote desktop and access software essential for support operations: CVE-2024-1709 and CVE-2024-1708. The more critical of these, CVE-2024-1709, poses a significant risk to organizations by allowing unauthorized remote attackers to bypass authentication mechanisms, delete user databases, and assume admin control.

CVE-2024-1709 has been particularly alarming due to its exploitation in the wild, affecting ScreenConnect versions up to 23.9.7. Attackers have been exploiting this vulnerability to install ransomware, steal information, and deploy Cobalt Strike payloads, among other malicious activities. Over 3,000 instances vulnerable to this exploit have been identified online, signaling a widespread threat.

Conversely, CVE-2024-1708, while still concerning, primarily enables path traversal, granting attackers access to files and directories that should be off-limits.

In-Depth Look at CVE-2024-1709 Huntress, a cybersecurity firm in the U.S., has shed light on the CVE-2024-1709 vulnerability, underlining its severe impact. This vulnerability is exploited through a simple request to a specific path on affected ScreenConnect instances, granting unauthenticated access to the software's setup wizard. This access allows attackers to overwrite the internal user database, effectively erasing existing users and leaving only the attacker with administrative privileges. Furthermore, attackers can easily upload malicious extensions for complete remote code execution on the compromised instance.

Widespread Exploitation and Consequences Proof of concept for exploiting CVE-2024-1709 has been publicly shared, demonstrating the ease with which new users can be added to compromised systems. Sophos, another cybersecurity entity, reported multiple instances of ransomware attacks utilizing this vulnerability, emphasizing the diversity of threats that have emerged as a result.

Protective Measures and Remediation For detection, monitoring server logs for specific patterns and keeping an eye on certain directories for unauthorized payload storage is advised. ConnectWise has responded to these vulnerabilities by recommending immediate updates to ScreenConnect version 23.9.8 or later for on-premise users, providing additional protection against these exploits. The company has also made provisions for partners no longer under maintenance to update their systems at no extra cost, ensuring broader access to essential security updates.

Global Impact and Response Statistics reveal a significant number of exposed ScreenConnect instances, primarily within the U.S., highlighting the urgency for protective actions against these vulnerabilities. ConnectWise's proactive measures, including the release of updates and additional mitigation steps for unpatched systems, underscore the critical need for immediate action to safeguard against these vulnerabilities.

Posted : 27/02/2024 4:46 pm