The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On the 19th of February, ConnectWise released a security fix highlighting that all on-premise versions of ScreenConnect prior to 23.9.8 contained two security vulnerabilities (identified as CVE-2024-1709 and CVE-2024-1708), recommending users to apply the patch without any delay. Under normal circumstances, such advisories might not trigger immediate concern. Yet, one of these vulnerabilities was assigned a CVSS rating of 10/10, indicating a critical severity. This rating suggests an urgency to address the issue, essentially advising users to prioritize patching as an immediate action.
This blog explains how the new ConnectWise ScreenConnect vulnerabilities and their exploitation attacks work, as well as how organizations can defend against possible CVE-2024-1709 and CVE-2024-1708 exploitation attacks.
Simulate Vulnerability Exploitation Threats with 14-Day Free Trial of Picus Platform
CVE-2024-1709: Authentication Bypass Vulnerability
The vulnerability identified as CVE-2024-1709 in ScreenConnect represents an intricate but direct misuse of the .NET framework's detailed processing of URLs, along with a lack of security measures in ScreenConnect's configuration and authentication mechanisms. Essentially, this flaw exploits a gap in the way ScreenConnect, a robust tool for remote support, controls access to its “setup wizard” following the software's initial installation.
How Does the Exploit Work?
To understand the mechanics behind the exploit [2], researchers undertook a detailed examination by reverse-engineering [1] the patch issued by ConnectWise, addressing these two vulnerabilities in ScreenConnect. This involved a thorough comparison between the software's patched and unpatched versions. Through setting up local test environments for both, they aimed to uncover specific changes that would shed light on the nature of the vulnerabilities.
Here, you will find a list of files that are updated after the patch. The team noted differences (delta) in various files, including executables, libraries, and configuration files.
Among these, SetupWizard.aspx stood out as a promising lead because it is a text file, making it easier to compare changes directly without needing to decompile binary files.
Here is the delta code between the initial and after-patch of the SetupWizard.aspx file.
1a2 |
These changes introduced a vital verification process in the patched version, designed to ascertain whether the ScreenConnect instance had been previously configured before granting access to the setup wizard. By modifying the OnInit event within the SetupWizard.aspx file, the update ensures that an error is thrown if there is an attempt to access the setup wizard after the system has been set up, thus effectively blocking such attempts.
A deeper dive into the ScreenConnect.Web.dll and specifically the ScreenConnect.SetupModule shed additional light on the mechanisms of potential exploitation and the measures taken to prevent it. A significant modification in the latest update was the transition of handler registration from the OnBeginRequest event to the OnPostMapRequestHandler event.
This change is crucial as it ensures the context.Handler field is filled, thereby facilitating a new validation check. This check assesses whether the HTTP handler being called implements the newly introduced ISetupHandler interface, a stark contrast to the previous approach that relied merely on matching the request path as a string.
This modification effectively closes off a subtle avenue for exploitation, where attackers could previously sidestep the access restrictions of the setup wizard by manipulating the URL path. Leveraging a particular .NET feature that processes additional path components beyond a legitimate URL, attackers could access the setup wizard on ScreenConnect instances that were already configured by crafting a request like the following.
/SetupWizard.aspx/anygivenstring |
Impact and Exploitability
With many researchers and vendors sharing their proof of concept and the vulnerability's easy-to-exploit nature, it is likely that we will see numerous exploitation cases on unpatched systems.
This is because once the setup wizard is accessed, the attacker can proceed to create a new administrative user or overwrite the existing user database. Essentially, this grants them full administrative control over the ScreenConnect instance. With administrative rights, the attacker can then upload malicious extensions or execute arbitrary code on the system, leveraging ScreenConnect's functionality that allows for the execution of .NET code as SYSTEM on the servers.
CVE-2024-1708: Path Traversal Vulnerability
Path Traversal vulnerabilities allow attackers to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with dot-dot-slash (../) sequences, attackers can move up the directory tree and access arbitrary files or directories.
In the case of CVE-2024-1708, the vulnerability was due to inadequate path validation when ScreenConnect extracted files from ZIP archives, specifically in the context of handling ScreenConnect extensions. The original code (before patch) did not strictly validate or sanitize the paths of extracted files, potentially allowing a malicious zip file to traverse directories (ZipSlip) and place files outside the intended target directory.
The patch released essentially tightens the security by verifying that all extracted files from a zip archive are confined to a specified directory, significantly reducing the risk of a successful ZipSlip attack.
(For the ones that are curious about the changes done in ScreenConnect.Core.dll and, and ScreenConnect.Server.dll, click the corresponding file names.)
How Does the Exploit Work?
Before the 23.9.8 security fix, an attacker could craft a malicious ScreenConnect extension contained within a zip file. When processed by ScreenConnect, this file could extract its contents to arbitrary locations within the ScreenConnect server's file system. Typically, this would require administrative credentials and access to the Extensions functionality of ScreenConnect, suggesting that the attacker would need to bypass authentication or otherwise legitimately authenticate to exploit this vulnerability.
Hence, attackers are exploiting the CVE-2024-1708 and CVE-2024-1709 vulnerabilities in collaboration, where CVE-2024-1709 allows them to create administrative accounts, enabling them to exploit the CVE-2024-1708 vulnerability.
The released patch essentially tightens security by verifying that all extracted files from a zip archive are confined to a specified directory, significantly reducing the risk of a successful ZipSlip attack.
Impact and Exploitability
While CVE-2024-1708, on its own, might have a more controlled scope due to the requirement for administrative access, it becomes significantly more critical in conjunction with an authentication bypass vulnerability like CVE-2024-1709. In such a combined attack scenario, an unauthenticated attacker could first bypass authentication and then exploit CVE-2024-1708 to achieve remote code execution without the need for a legitimately installed extension.
The advisory indicates that post-exploitation, any .aspx or .ashx files found at the root of the C:\Program Files (x86)\ScreenConnect\App_Extensions\ directory should be considered suspicious, as ScreenConnect does not normally place files in this directory. This makes CVE-2024-1708 particularly stealthy, as the malicious files might not attract immediate attention.
How Picus Helps Simulate CVE-2024-1709 & CVE-2024-1708 Exploit Attacks?
We also strongly suggest simulating the ConnectWise ScreenConnect CVE-2024-1709 and CVE-2024-1708 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Log4Shell, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for ConnectWise ScreenConnect CVE-2024-1709 and CVE-2024-1708 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
75597 |
ConnectWise ScreenConnect Web Attack Campaign |
Web Application |
References
[1] “Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708.” Available: https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass. [Accessed: Feb. 27, 2024]
[2] “ConnectWise ScreenConnect 23.9.8 security fix,” Feb. 19, 2024. Available: https://www.connectwise.com/. [Accessed: Feb. 27, 2024]