Frequently Asked Questions about ScreenConnect Vulnerabilities

Frequently asked questions about two vulnerabilities affecting ConnectWise ScreenConnect

Background

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding two vulnerabilities impacting ScreenConnect, a Remote Monitoring and Management (RMM) solution from ConnectWise.

FAQ

What are the ScreenConnect vulnerabilities and when were they disclosed?

On February 19, ConnectWise released a security advisory for two vulnerabilities affecting their RMM product, ScreenConnect. At the time the advisory was released, no CVE identifiers had been released for the vulnerabilities. On February 21, three CVEs were assigned for these vulnerabilities. Two CVEs were reserved by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) (CVE-2024-1708 and CVE-2024-1709) and another was reserved by MITRE (CVE-2024-27215). CVE-2024-27215 was later updated and listed as REJECTED.

Which versions of ConnectWise are affected?

ScreenConnect versions 23.9.7 and prior are affected by these vulnerabilities. These vulnerabilities only impact self-hosted or on-premise installations. Cloud customers who have ScreenConnect servers hosted on the “screenconnect.com” or “hostedrmm.com” are not impacted as updates have been made to the cloud service to address these vulnerabilities.

The advisory also notes that updated versions of ScreenConnect 22.4 through 23.9.7 will be released, however they still strongly recommend upgrading to ScreenConnect version 23.9.8.

Have any of these vulnerabilities been exploited?

On February 20, ConnectWise updated its security advisory to share indicators of compromise (IOCs) relating to malicious activity. In this update, ConnectWise notes that they have "received updates of compromised accounts" that were investigated and confirmed by its incident response team, indicating in-the-wild exploitation of these flaws. The update includes IOCs of IP addresses reportedly associated with threat actor activity.

On February 20, Huntress posted a blog post with detection guidance to aid defenders into identifying impacted systems.

On February 23, Sophos reported that ransomware attacks have been observed exploiting vulnerable ScreenConnect servers. A variant of the LockBit ransomware known as buhtiRansom has been observed and according to Sophos, this variant appears to have been generated using the leaked LockBit builder. As ransomware groups and affiliates begin targeting vulnerable instances of ScreenConnect, it's imperative that immediate action is taken to remediate these vulnerabilities.

Has any Proof-of-Concept (PoC) code been released?

As of February 20, a blog by Huntress indicates that their researchers have reproduced these vulnerabilities and developed a working PoC, however they have chosen not to release the exploit code. Later that day, Huntress posted another blog post with their analysis of the vulnerabilities as well as how they discovered them. This blog included information on how to exploit these vulnerabilities citing that other vendors have released their own PoCs and that "the cat is out of the bag."

In addition to Huntress, researchers at Horizon3 Attack Team posted to X (formerly known as Twitter) about their own PoC for the authentication bypass vulnerability, adding that it is “extremely trivial to reverse and exploit” that they plan to publish it along with a blog post soon.

The recent #ConnectWise #ScreenConnect authentication bypass vulnerability is extremely trivial to reverse and exploit. Blog and exploit POC will drop soon. pic.twitter.com/mEIaRetKxQ

— Horizon3 Attack Team (@Horizon3Attack) February 20, 2024

On February 21, Horizon3 released their write up and PoC and researchers at watchTowr posted on X that they have created a PoC for the authentication bypass issue and posted a link to their PoC on GitHub.

Here's our PoC for the Connectwise ScreenConnect Auth Bypass:https://t.co/C17vJWygf6 

The vuln is the definition of trivial and thus we won't release any analysis. Not sure what we would share - "Add a / and you too can pwn the world"? pic.twitter.com/oVh2LNCqb6

— watchTowr (@watchtowrcyber) February 21, 2024

Are patches or mitigations available?

As of February 19 when the security advisory was released, ScreenConnect version 23.9.8 has been released to address these vulnerabilities. No mitigation steps were provided by ConnectWise.

Has Tenable released any product coverage for these vulnerabilities?

Yes, product coverage for these vulnerabilities is now available in the following plugins:

• Nessus Plugin ID 190883: ConnectWise ScreenConnect Installed (Windows)
• Nessus Plugin ID 190894: ConnectWise ScreenConnect HTTP Detection
• Nessus Plugin ID 190886: ConnectWise ScreenConnect < 23.9.8 Multiple Vulnerabilities
• Nessus Plugin ID 190893: ConnectWise ScreenConnect < 23.9.8 Authentication Bypass (Direct Check)
• Web App Scanning ID 114214: ConnectWise ScreenConnect < 23.9.8 Authentication Bypass

Additional coverage can be found on the individual CVE pages for CVE-2024-1708 and CVE-2024-1709 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• ConnectWise ScreenConnect 23.9.8 Security Advisory
• Huntress Blog Post: Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8
• Huntress Blog Post: A Catastrophe For Control: Understanding the ScreenConnect Authentication Bypass
• Horizon3 Attack Team Blog: ConnectWise ScreenConnect: Authentication Bypass Deep Dive

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.