www.belgium.be Logo of the federal government

WARNING: URGENT: ACTIVELY EXPLOITED CONNECTWISE SCREENCONNECT CVE-2024-1708 AND CVE-2024-1709 VULNERABILITIES - APPLY PATCH IMMEDIATELY!

Reference: 
Advisory #2024-032
Version: 
1.0
Affected software: 
ConnectWise ScreenConnect
Type: 
Authentication Bypass, Path Traversal
CVE/CVSS: 

CVE-2024-1708 :CVSS 8.4(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)
CVE-2024-1709 :CVSS 10.0(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)

Sources

https://www.connectwise.com/company/trust/security-bulletins/connectwise- ScreenConnect-23.9.8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1709

Risks

Vulnerabilities in ConnectWise ScreenConnect prior to version v23.9.8 allow a malicious attacker to gain administrator access on a ScreenConnect server. From here malicious attackers can use the ScreenConnect functionality to execute malicious code on all the connected systems. These vulnerabilities could lead to a complete compromise of your business.

The vulnerabilities CVE-2024-1708 and CVE-2024-1709 are currently being actively exploited, with multiple groups of ransomware actors attempting to take advantage of these weaknesses.

Both vulnerabilities are trivial to exploit, which makes them an appealing target for cybercriminals.

Description

CVE-2024-1709 - Authentication Bypass

Attackers can bypass authentication granting them administrator access to the server. This enables attackers to effortlessly take control of the ScreenConnect server.

CVE-2024-1708 - Path Traversal

Attackers can abuse a path traversal vulnerability to write files to the ScreenConnect server. This vulnerability could be used to upload malicious code to a vulnerable server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Update Self-

hosted instances of ScreenConnect serve tor version 23.9.8 or later immediately!

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. Indicators and hunting rules can be found in the references below.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the- ScreenConnect-authentication-bypass
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe- 288-2
https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708- cve-2024-1709/
https://www.bleepingcomputer.com/news/security/ScreenConnect-critical- bug-now-under-attack-as-exploit-code-emerges