Security consultancy Bishop Fox has discovered eight vulnerabilities in ConnectWise Control.
“One of our security researchers found these vulnerabilities. He deemed them severe enough to rate them as critical, and the attack chain so bad that we had to report them,” said Bishop Fox Associate Vice President of Consulting Daniel Wood.
The flaws, detailed here, could allow attackers to create an “attack chain” that hijacks a managed service provider's (MSP;s) systems and their customers' devices.
“One of our security researchers found these vulnerabilities. He deemed them severe enough to rate them as critical, and the attack chain so bad that we had to report them,” Bishop Fox Associate Vice President of Consulting Daniel Wood told CRN.
Chaining the vulnerabilities “would allow an attacker to execute arbitrary code on a victim’s Control server, as well as gain control of any client machines connected to a victim’s Control instance,” according to a post from Bishop Fox on what it calls the ConnectWise Critical (Zero-Day) Vulnerability Disclosure.
The eight flaws named by Bishop Fox are: cross-site scripting, CORS (Cross-Origin Resource Sharing) misconfiguration, cross-site request forgery, information disclosure, remote code execution, user enumeration, missing security headers and insecure cookie scope.
“The flaws in general, they’re serious in their own right, but when you start taking a look at chaining the vulnerabilities together, [it’s even worse]. We call them basically attack chaining,” said Wood.
The “attack chaining” can result in either “forgery vulnerabilities” on the ConnectWise Control server or a client desktop breach that opens the door to the “endpoint” device itself, according to Bishop Fox, which bills itself as the largest private services firm focused on “offensive security testing.”
ConnectWise Control is among the most popular MSP tools, with at least 100,000 users managing millions of endpoints around the globe, according to ConnectWise.
Bishop Fox indicated that it is also looking for potential security flaws in other remote monitoring and management tools for MSPs. If RMM tools are not architected or configured properly, MSPs can expose themselves and their customers to a “whole bunch of different security concerns,” said Wood.
ConnectWise Director of Security Tom Greco Tuesday told CRN that ConnectWise’s engineers have patched 75 percent of the flaws that Bishop Fox identified, despite its difficulty in reproducing them.
“The vulnerabilities they reported to us didn’t really provide a proof of exploitation,” he said. “They provided conceptual ideas of how they might be exploited, but they wouldn’t or couldn’t provide us with any specific examples. That doesn’t mean we didn’t take them seriously. We certainly did.”
ConnectWise in a statement provided to CRN said that both it and Bishop Fox “agreed that no active exploits had occurred from these potential vulnerabilities.”
“ConnectWise takes the security of our products and our partners very seriously,” the company said in the statement. “We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.”
On January 21, 2020, ConnectWise said it again ran its own tests on “6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure.”
“Within the next two weeks we will resolve a seventh item that is much lower in risk,” the company said. “ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.”
At CRN’s request, independent researchers at Huntress Labs, a provider of managed breach detection for MSPs, examined Bishop Fox’s vulnerability report to see if it accurately characterized the flaws that it claims to have found.
“This is no-nonsense, high-quality offensive security research. The channel usually doesn’t get this type of exposure because the types of people like Bishop Fox are usually working for the largest companies in the world,” said Kyle Hanslovan, CEO of Huntress Labs. “These are real vulnerabilities, found by real vulnerability researchers and our community could use a lot more of it … This could have allowed a hacker to gain remote access if they targeted the right administrator. I would give it an 8 out of 10 on the severity rating.”
Hanslovan‘s team started Tuesday morning to see if they could recreate the exploits, and discovered that in some cases they could.
“We’ve definitely seen some of the vulnerabilities patched or neutered. So they’re not as dangerous. However, there are definitely some features that are also vulnerabilities that weren’t patched,” he said. “Whether that was a direct decision, we’re not sure. As for some of the other vulnerabilities, the CORS vulnerability, it appears that one is still exploitable. Additionally, we’re still in the final testing period of the remote code execution vulnerability. We’re unsure if that’s patched yet. We believe there are some of these vulnerabilities that haven’t been patched, but have been mitigated.”
“The CORS vulnerability. The cross-site scripting vulnerability, and the remote code execution vulnerability are all the scary ones,” Hanslovan said. “Those are the ones, if you look at the criticality, they’re rated medium to high, when it comes to how dangerous they are. We confirmed cross site scripting still exists, so we’re a little concerned about that. But the one that would really be bothersome, is if this remote code execution vulnerability is still there, which it seems likely it could still be there. That means there’s still some dragons lurking. There’s no way to sugar coat that. We’re excited that ConnectWise has clearly put effort into mitigate the low vulnerability ones which are all cleared up.”
For its part, ConnectWise said it fixed the cross-site forgery, information disclosure, user enumeration, CORS misconfiguration and insecure cookie scope vulnerabilities in September and October.
It also says it fixed the remote code execution vulnerability in September before Bishop Fox found it.
The company said it has not yet fixed the missing security headers and does not plan to fix the cross-site scripting, which it describes as a feature even though the two security research firms call it a flaw.
ConnectWise was tied to numerous MSP security breaches in 2019, starting with reports in April that the company’s Control product was used in the now-infamous Wipro hack. In May the company announced that its ConnectWise Manage platform was taken offline by European hackers. Then in August an MSP using ConnectWise Control had his network hit by ransomware that hit 22 municipal web sites in cities and towns across the US state of Texas.
Wood said many of the legacy apps Bishop Fox encounters are not built with security in mind, but cobbled together over years, through need and acquisitions, leaving layers of “tech debt.”
“That tech debt will result in vulnerabilities,” Wood said. “So if this was more of a legacy application that they kind of just gave a face-lift to then, they probably inherited the vulnerabilities.”
ConnectWise in fact acquired the Screen Connect product in 2015, which was later branded ConnectWise Control. Last year, the company celebrated ConnectWise Control’s tenth birthday on its website. In that write up, it said the product was designed from the ground up, in 2009. Screen Connect was originally a screen writing software website.
A Bishop Fox security researcher, who has since left the company, began investigating ConnectWise Control on September 13, Wood said. At that time, Bishop Fox was not aware of ConnectWise Control’s role in the Texas ransomware outbreak, but once it learned of it, the company reached out to the FBI field office handling the investigation to share the flaws it had discovered.
“We talked with them and walked them through the vulnerabilities,” Wood said. “We had multiple conversations. I would say maybe over a month or two.”
ConnectWise reacted badly
Wood said at some point during conversations, ConnectWise threatened the researchers with litigation.
“The conversation turned a little contentious,” said Wood. “A threat of defamation and libel did come up in that conversation. That immediately concerned us,” Wood said. “We absolutely stand behind the researchers we have and support them. As long as they follow our policies and procedures -- and we do things by the book -- then we’re always going to support them and stand up for them. If someone is threatening litigation, that’s only going to make us double down on protecting our researchers, consultants, and our company.”
The ConnectWise response was in sharp contrast to the handling of an Amazon Web Services flaw discovered by Bishop Fox, Wood said. Wood said AWS acted as a “partner” to resolve the security issue. “They were actively seeking to understand the issue and then seeking kind of almost a partnership to better understand the research that we do in the future to make sure they’re that they're protecting their customers going forward,” he said.
Greco, who was not involved in the initial conversations with Bishop Fox, said he could not comment on whether there was a threat of litigation by ConnectWise. He said he never worked for the former CISO, John Ford, who was part of those initial conversations with Bishop Fox and left ConnectWise in December.
Greco said MSPs should continue to have confidence in ConnectWise Control. “The testing that our code goes through, as well as our external assessments and vulnerability and penetration tests definitely gives us confidence that our products are secure,” he said. “And we’re always improving. As everybody knows, the game is never done. You have to continue to develop. You have to continue to look at our existing code and improve and get better at what we do. But yes, we are very confident in the security of our products.”
Finally, ConnectWise said it will continue to work to optimize security for its partners and the channel community. “We encourage partners and colleagues to contact us at firstname.lastname@example.org with any questions or to report any issues,” the company said.