CISA orders federal agencies to fix ConnectWise ScreenConnect bug in a week

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds ConnectWise ScreenConnect bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a ConnectWise ScreenConnect vulnerability, tracked as CVE-2024-1709, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is an authentication bypass vulnerability issue that an attacker with network access to the management interface can exploit to create a new, administrator-level account on affected devices.

The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:

Cloud 

There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.  

On-premise 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. 

Cybersecurity researchers from Huntress published a technical analysis of the ConnectWise vulnerability. The security firm is aware that the issue is actively exploited in attacks in the wild, the experts also recreated the exploit and attack chain.

The researchers concluded that the exploitation of this flaw is trivial and embarrassingly easy for this reason there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors.

Below is a video PoC of the exploit created by Huntress researchers, it performs the simple authentication bypass and demonstrates how to achieve remote code execution.

CISA is aware that this vulnerability is exploited in ransomware attacks, Sophos researchers also confirmed this circumstance.

“In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709).” said Sophos. “Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by February 29, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)