ConnectWise ScreenConnect 23.9.8 security fix

02/19/2024
Products: ScreenConnect
Severity: Critical
Priority: 1 - High
February 27, 2024 update: 
 
Cloud partner summary:
Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).
 
On-prem partner summary:

On-prem partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.

Active maintenance
If you are on active maintenance, we strongly recommend upgrading to the most current release of 23.9.8 or later. Using the most current release of ScreenConnect includes security updates, bug fixes, and enhancements not found in older releases.

Off maintenance
ConnectWise has provided a patched version of 22.4.20001 available to any partner regardless of maintenance status as an interim step to mitigate the vulnerability. If you are not currently under maintenance, please upgrade your servers to version 22.4.20001 at minimum or to your latest eligible patched version that includes the remediation for CVE-2024-1709. 

(Updated) Addressing license errors: If a license error arises during the upgrade, please stop the four ScreenConnect services (Session Manager, Security Manager, Web Server, Relay), move the “License.xml” file from the installation folder “C:\Program Files (x86)\ScreenConnect\App_Data\License.xml” to another location such as Desktop, and proceed with the upgrade. After the upgrade is complete, the license key will need to be re-added by stopping the four services and dropping the file back into the App_Data folder.

 

Active Advisory

Helpful Links

 
February 23, 2024 update: 
 
ICYMI: ConnectWise has taken an exception step to support partners no longer under maintenance by making them eligible to install version 22.4 at no additional cost, which will fix CVE-2024-1709, the critical vulnerability. However, this should be treated as an interim step. ConnectWise recommends on-premise partners upgrade to remain within maintenance  to gain access to all security and product enhancements.
 
February 22, 2024 update: 

ConnectWise recommends on-premise partners immediately update to 23.9.8 or higher to remediate reported vulnerabilities.  

ConnectWise has rolled out an additional mitigation step for unpatched, on-premise users that suspends an instance if it is not on version 23.9.8 or later. If your instance is found to be on an outdated version, an alert will be sent with instructions on how to perform the necessary actions to release the server. 

To upgrade your version to our latest 23.9 release, please follow this upgrade path: 

2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9 

If you need any assistance or have additional questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.

February 21, 2024 update*: 

Cloud partner summary: Cloud partners are remediated against both vulnerabilities reported on February 19. No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”).

On-prem partner summary: On-prem partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.

Today, ScreenConnect version 23.9.10.8817 was released containing a number of fixes to improve customer experience. It is always recommended to be on the latest version but 23.9.8 is the minimum version that remediated the reported vulnerabilities.

As part of this release, ConnectWise has removed license restrictions, so partners no longer under maintenance can upgrade to the latest version of ScreenConnect.

*Please see the February 27, 2024 security bulletin update that clarifies partners off maintenance can upgrade to 22.4.20001 (or a later eligible version) to receive a patch to CVE-2024-1709. To get the current 23.9.8 or later release, partners need to be on active maintenance. 

February 20, 2024 update: 

Indicators of compromise
Indicators of compromise (IOCs) look for malicious activity or threats. These indicators can be incorporated into your cybersecurity monitoring platform. They can help you stop a cyberattack that's in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.

We've received notifications of suspicious activity that our incident response team has investigated. The following IP addresses were used by threat actors. We are making them available for protection and defense.IOCs: 

  • 155.133.5.15
  • 155.133.5.14
  • 118.69.65.60

We will continue to update with any further information as it becomes available. 

 

Original Bulletin:

Summary 

Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center. There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks. 

Vulnerability 

  • CWE-288 Authentication bypass using an alternate path or channel 
  • CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)  

 

CWE ID 

Description 

Base Score 

Vector 

CWE-288 

Authentication bypass using an alternate path or channel 

10 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

CWE-22  

Improper limitation of a pathname to a restricted directory (“path traversal”) 

8.4 

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 

 

Severity 

Critical—Vulnerabilities that could allow the ability to execute remote code or directly impact confidential data or critical systems.

Priority 

1 High—Vulnerabilities that are either being targeted or have higher risk of being targeted by exploits in the wild. Recommend installing updates as emergency changes or as soon as possible (e.g., within days)  

Affected versions 

ScreenConnect 23.9.7 and prior 

Remediation 

Cloud 

There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.  

On-premise 

Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch. 

ConnectWise will also provide updated versions of releases 22.4 through 23.9.7 for the critical issue, but strongly recommend that partners update to ScreenConnect version 23.9.8. 

For instructions on updating to the newest release, please reference this doc: Upgrade an on-premise installation - ConnectWise 

Link to patch: Download | ConnectWise ScreenConnect™ 

faq

FAQs

Frequently asked questions

On February 13, 2024, an independent researcher ethically and responsibly reported two potential vulnerabilities using the ConnectWise vulnerability disclosure program through the ConnectWise Trust Center, including a potential critical vulnerability that would allow anonymous attackers to exploit an authentication bypass flaw to create admin accounts on publicly exposed instances. Essentially, a bad actor could mimic the role as system admin, delete all other users and take over the instance.  

Once the vulnerability was validated on February 14, 2024, ConnectWise product security and engineering teams worked together to mitigate all cloud instances of ScreenConnect within 48 hours. We did so without requiring a version update. Then, we upgraded cloud instances to a later version for further hardening. As a result, partners within our hosted cloud environments were quickly secured against this critical vulnerability.  

Following industry best practices for patching strategy, an official upgraded package was released on February 19, 2024, for all on-prem ScreenConnect partners, and a security bulletin was posted to the ConnectWise Trust Center strongly urging partners patch their on-prem instances of ScreenConnect. On the same day, ConnectWise initiated contact with CISA, and on February 22, CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities (KEV) Catalog.  

In addition, to provide timely information and support to our partners, we mobilized outreach communications through multiple channels, including security bulletins and advisories, partner emails, virtual events, and blogs. These communications emphasize the urgency to patch on-prem instances of ScreenConnect while providing our partners with the latest information, best practices, and support for this critical vulnerability.  

Anyone on a self-hosted instance running ScreenConnect 23.9.7 and prior. 

Partners no longer under maintenance are eligible to install version 22.4.20001 at no additional cost, which will fix both vulnerabilities. However, this should be treated as an interim step. ConnectWise recommends updating to the latest release to get all the current security patches and therefore all partners should upgrade to 23.9.8 or higher as outlined in the upgrade path below. 

Upgrade ScreenConnect to a patched version  

1. To upgrade to version 23.9.8 or later, please note there is a specific upgrade path that must be followed: 

1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9.8+ 

2. If you are not on maintenance and upgrading to 22.4.20001 (or your latest eligible version), please follow this specified upgrade path:  

2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.4.20001 

For instructions on how to upgrade your on-premise installation click here. 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

Cloud partners 
Cloud partners are remediated against both vulnerabilities reported on February 19 (CVE-2024-1709, CVE-2024-1708). No further action is required from any cloud partner (“screenconnect.com” cloud and “hostedrmm.com”), but we recommend to trust but verify. Take this opportunity as a reason to review your configuration, user accounts, and access logs to verify that everything aligns with what you would expect.  
 
ScreenConnect agents are not directly impacted by this issue. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate the vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

On-premise partners 
A patch is available to you if you are a self-hosted or on-premise partner; we urge you to update your servers to version 23.9.8 immediately to apply the patch. 

Link to patch: Download | ConnectWise ScreenConnect  

For instruction on updating to the newest release, please reference this doc: Upgrade an on-premise installation - ConnectWise 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

If you possess enhanced Windows event logs or endpoint detection and response (EDR) solutions, thorough investigation should be conducted to identify any suspicious activity, including evidence of commands run from webshells or other indicators of compromise.  

In the event of file anomalies or other indicators of compromise are identified, it is highly recommended to seek assistance from external response companies specializing in incident response and digital forensics. These companies possess the expertise necessary to effectively investigate and remediate security concerns.  

Review file system, enhanced Windows event logs or EDR solutions for suspicious activity, such as webshell commands or other compromise indicators.  

Seek assistance from specialized incident response and forensics firms if potential impacted files are identified.  

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

There are many things that a partner can do to protect themselves. In this situation, the most important thing you can do is patch your instances immediately! 

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

ConnectWise cloud operations and engineering teams worked together to mitigate all ConnectWise hosted cloud instances of ScreenConnect within 48 hours of validation of the critical vulnerability. ConnectWise was able to mitigate the issue for partners in ConnectWise hosted environments without requiring a version update, because of the nature of the critical vulnerability. We next focused on creating a new build that patched both reported vulnerabilities and deployed it to partners in all cloud hosted environments (version 23.9.8). Cloud partners were not required to update agents to remediate the vulnerabilities. Partners on version 23.9.8 or higher are considered patched. 

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate this vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

Once the vulnerability was validated on February 14, 2024, ConnectWise cloud operations and engineering teams worked together to mitigate all ConnectWise hosted cloud instances of ScreenConnect. Due to the nature of the critical vulnerability, ConnectWise was able to mitigate the issue for partners in ConnectWise hosted environments quickly without requiring a version update. In tandem, we focused on creating new builds that patched both reported vulnerabilities for the current stable release and for versions dating back to 2022. The goal was to provide an upgrade path to a patched release to as many on-prem partners as possible. It took more time to update and QA multiple older builds for on-prem, whereas our cloud environments managed by ConnectWise were standardized to a smaller list of more current releases. 

ScreenConnect version 23.9.10 is just the next release of ScreenConnect. The vulnerabilities were patched in versions 23.9.8 or higher. Partners on 23.9.8 or higher are considered patched for CVE-2024-1708 and CVE-2024-1709. New releases in the cloud will be returning to our normal rolling schedule moving forward. 

If you suspect your ScreenConnect software may be compromised, prioritize securing your systems. Follow your existing incident response playbook to isolate the affected servers and create backups to analyze later. Don't put those servers back online until they're thoroughly investigated, rebuilt, and secured with the latest patches. 

Remember, a compromised ScreenConnect server might not be the only point of entry. Your incident response should encompass your entire system to identify and address any broader security vulnerabilities. We encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant . 

Whether you have patched your server or still need to—it is critical to assess your systems for signs of impact before bringing any systems back online, upgrading your server, or migrating your server.  We encourage partners to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.   

Review the guide thoroughly and pay particular attention to the Internal Users on your on-prem server to verify that there are no unknown internal user accounts. Review file system, enhanced Windows event logs or EDR solutions for suspicious activity, such as web shell commands or other compromise indicators. Please seek assistance from specialized incident response and forensics firms if potential impacted files are identified.    

Partners can then follow our instructions to migrate to the cloud: Migrate to ScreenConnect Cloud from a Windows server - ConnectWise. Post migration, partners should verify agent counts, uninstall agents, and decommission the on-premises server.  This should include removing DNS records and firewall rules allotted to the on premises ScreenConnect server. 

Licenses were paused for servers that have checked in using an unpatched version. You will be able to upgrade to the current/patched versions, and if the license is eligible for the installed version, it will automatically be restored by the license server. However, the key would still need to be valid for the version you're using. If the key is not valid, it will stay as revoked, and you'd need to upgrade the key. To update upgrade your on-prem license, click here 

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. Partners have notified us that certain A/V vendors have flagged agents. These reports should be registered as false positives to your vendors, but we're also working with select vendors to fix the issue. 

We went to great lengths to contact partners and previous partners regarding this issue through multiple channels (e.g., email, Trust Center with RSS feed, blog, media/news outlets, channel advocates, social media, webinars, phone calls, community forums).  

We’ve heard reports that messages went to junk or spam folders. To avoid this in the future, please set rules that allow ConnectWise communication to hit your primary inbox—add no-reply@connectwise.com to your safe sender list to ensure these important communications are delivered to your inbox. 

In addition, please update your primary contact details by reaching out to your dedicated account manager. You can also ensure your email preferences are correctly configured in our online self-service ConnectWise Profile and Preference Center (learn more here). 

To ensure you receive the latest security-related communications from ConnectWise, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins.  

If you have confirmed that your primary contact information is accurate and you are still not receiving emails from our system, we kindly request that you share the primary contact email with us for further investigation. 

We encourage you to update your primary contact details by reaching out to your dedicated account manager. You can also ensure your email preferences are correctly configured in our online self-service ConnectWise Profile and Preference Center (learn more here).  

In addition, to avoid messages potentially going into a junk or spam folder, please set rules such as adding “no-reply@connectwise.com” to your safe sender list to ensure these important ConnectWise communications are delivered to the designated primary contact’s inbox.  

And if you have not done so yet, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins. 

We apologize for any confusion. For cloud-hosted partners, including RMM/Command partners, while we communicated that there was no action needed, many believed they were still vulnerable because their ScreenConnect was showing a version older than 23.9.8. We took action to remediate the vulnerability for all cloud partners, but because partners did not have the new version installed, they thought they were still vulnerable. We rolled out full version upgrades to resolve this. Again, we apologize for any confusion and inconvenience, or original message may have caused. 

Some of our cloud-hosted partners (including RMM/Command partners) were concerned they were possibly compromised due to a brief downtime on February 21. This was due to an accelerated rollout of the formal patch version (23.9) to put us back on a proper release schedule. The average downtime for this was around 10 minutes.  

Check your Status/Overview page and review the Version Check. Review the Latest Eligible Version row; this will detail the latest version of ScreenConnect that your license permits you to upgrade to. 

image6ytph.png

Partners no longer under maintenance are eligible to install version 22.4.20001 at no additional cost, which will fix CVE-2024-1709, the critical vulnerability. However, this should be treated as an interim step. ConnectWise recommends updating to the latest release to get all the current security patches and therefore all partners should upgrade to 23.9.8 or higher using the upgrade path outlined above. 

For instructions on how to renew your license, please click here or contact our sales team at screenconnectsales@connectwise.com.   

As a reminder and as part of the remediation process for on-prem partners—whether you have patched your server or still need to—it is critical to assess your systems for signs of impact while upgrading and before bringing any systems back online. 

Once you have patched your on-prem instance of ScreenConnect to the latest version, you should review users with access to ScreenConnect, remove any that are not recognized, change passwords, and enable MFA.  

If you are using any extensions, please validate them and remove/add them again. Once all steps are completed restart the server. 

To assist in the remediation and hardening process, we encourage you to review and follow the ConnectWise ScreenConnect Remediation and Hardening Guide by Mandiant for additional protection.  

ScreenConnect clients (agents) are not directly impacted by this issue. This is because the identified vulnerabilities involve an authentication bypass and path traversal issues within the server software itself (unpatched ScreenConnect instances version 23.9.7 and below), rather than any vulnerabilities within the client software that is installed on end-user devices. As a best practice, partners should update their agents after a server upgrade, but it is not required to mitigate the vulnerability. Check the ConnectWise University for more information on reinstalling and upgrading an access agent. 

We are unaware of any confirmed connection between the ConnectWise ScreenConnect vulnerability disclosed on February 19, 2024, and the incident at Change Healthcare. 

Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of MSPs have come forward with any information regarding their association with Change Healthcare. 

You can read our official response to this question in its entirety here. 

We maintain a robust "shift left" security program with continuous and ongoing investments, such as embedded security champions, threat modeling, code review, automated scanning and fuzzing, and both internal and external dedicated application penetration testing. However, even with all those best practices in place, vulnerabilities can still be discovered. This is true for the software industry, as exemplified by industry events like Patch Tuesday (also known as Update Tuesday), which has been around for over 20 years. 

An additional focus is on continuously improving our vulnerability identification and response processes. A key component of this effort is our vulnerability disclosure program found on our Trust Center. This program highlights our commitment to collaborating with independent researchers, industry organizations, partners, and the greater community across the globe in identifying weaknesses in any technology and helps ensure that reported vulnerabilities are handled ethically and responsibly, playing a crucial role in prioritization for remediation. 

The recent vulnerabilities were reported through our vulnerability disclosure program and demonstrates the effectiveness of this program. We continue to focus on preventing vulnerabilities and how we respond, react, and keep you informed when they do occur.   

To ensure you receive the latest security-related communications from ConnectWise, we highly recommend subscribing to the RSS feeds from our Trust Center to ensure you receive real-time notifications on the latest security advisories and bulletins. 

If you have questions or need to report a security or privacy incident, please visit our ConnectWise Trust Center. You can also call our Partner InfoSec Hotline at 1-888-WISE911 to report a non-active security incident or a security vulnerability. 

We are communicating in many platforms to make sure you stay informed. However, our FAQ page will capture the latest questions that are frequently asked as this evolves. We also encourage to go online to our Trust Center for the latest advisories and bulletins for more information. For real-time updates, we recommend subscribing to the ConnectWise security bulletin RSS feed.  

If you do not find what you are looking for here and you need additional assistance or have more questions, please go online to ConnectWise Home and open a case with our support team or email help@connectwise.com.