February 20, 2024 at 12:27PM
ConnectWise has urgently released patches for two critical security flaws in its ScreenConnect remote desktop access product, warning of high risk of exploitation. The most severe bug allows an “authentication bypass using an alternate path or channel,” scoring 10/10 in CVSS, while a second bug, an “improper limitation of a pathname to a restricted directory,” scores 8.4/10. Enterprise admins are urged to install patches immediately.
Based on the meeting notes, the takeaways are:
1. ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product.
2. The most serious bug is an “authentication bypass using an alternate path or channel,” with a maximum CVSS severity score of 10/10.
3. Another bug, an improper limitation of a pathname to a restricted directory (“path traversal”), was also fixed and carries a CVSS severity score of 8.4/10.
4. The company urges enterprise admins to install the patches as emergency changes within days due to the severity and risk of exploitation.
5. The vulnerabilities were reported a week ago through ConnectWise’s public disclosure channel, but there is no evidence of in-the-wild exploitation.
6. Affected versions include ScreenConnect 23.9.7 and prior versions, with a focus on on-prem or self-hosted customers.
7. The patches come at a time when the US government is warning about critical risks associated with legitimate remote monitoring and management (RMM) software.
8. Threat actors have been observed abusing RMM software, such as ScreenConnect, for financial gain.
9. Security defects in ConnectWise software products have landed the company on the CISA KEV (Known Exploited Vulnerabilities) catalog.
Let me know if you need further clarification or details.