ConnectWise CEO Jason Magee said his company hired an independent security firm to make sure the eight zero-day threats exposed in last week’s Bishop Fox report have been mitigated for the managed service providers who use its products, and he vowed an “unrelenting commitment to security” going forward.
“I want to assure our community that we understand the trust you place in our products and people. We take that trust seriously,” Magee said in a letter to partners Friday. “You have our unrelenting commitment to security and transparency, and we appreciate your questions and feedback to our continuous improvement.”
Nationally recognised offensive security firm Bishop Fox last Wednesday published a 13-page report that outlined the eight issues its security researcher found. Following the report—which was later validated by Huntress Labs—ConnectWise hired independent security firm GuidePoint to check the work ConnectWise has done to mitigate the threats.
Magee said after ConnectWise received word of the vulnerabilities from Bishop Fox in September it patched six of the eight issues by 2 October. The other flaws it considered low risk, including one that ConnectWise says is not a flaw but a feature of the product. However, it has said it will remove the option in its trial version.
“We hired GuidePoint, an independent third-party cybersecurity solutions company, to further validate our patches and confirm that the vulnerabilities were mitigated,” Magee wrote to partners. “One of the remaining two suggested areas of remediation is Cross-site Scripting (XSS) which is the potential for abuse of the Control Administrator role’s ability to customize the application. This customisation ability is a key feature of Control that many partners value. This issue is considered a low actual risk, but we will be removing the option from our trial offering.”
Huntress Labs CEO Kyle Hanslovan praised ConnectWise’s efforts, saying “bugs happen” but how a company responds is the most critical issue.
“I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons?” Hanslovan is quoted as saying in Magee’s letter. “I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”
Magee did not address Bishop Fox’s statements that former ConnectWise chief information security officer John Ford threatened the security researchers with litigation if it disclosed the vulnerabilities in ConnectWise Control. The vulnerabilities that Bishop Fox brought forward were validated by Huntress Labs, and later by GuidePoint.
“Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premises installations,” the 22 January Bishop Fox report stated. “Bishop Fox stands by our security researchers and believes in a fair and transparent process. In this particular case, we extended the disclosure timeline to give ConnectWise additional time to address these issues.”