ConnectWise Control Broken Access Control

06/15/2021
Products: ScreenConnect
Severity: Important
Priority: 2 - Moderate

Vulnerability

CWE-285 – ConnectWise Control Broken Access Control

Severity

Important - Vulnerabilities that could compromise confidential data or other processing resources but require additional access / privilege to do so.

Priority

2 - Vulnerabilities that have elevated risk but exploits are neither known nor anticipated to be imminent.  Recommend updates within normal change management timelines but no longer than 30 days.

Affected Versions

21.6 and earlier

Remediation

CLOUD:

Cloud instances are being updated on a rolling schedule, but Cloud Account Admins can manually apply this update through cloud.screenconnect.com.

Follow these steps to upgrade: https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Cloud_portal/Instances_page/Upgrade_a_cloud_instance

ON-PREMISE:

Please note there are some actions you need to take in order to apply this update: 

  1. Navigate to your Administration/License page. 
  2. Expand the Version Check box. 
  3. If you are on 21.6 or an earlier version, you should install the latest build for your current version to receive the latest security updates.
    • If your license is out of maintenance, you must upgrade your license before installing the latest supported release of Control.
  4. Visit our Download page. Download the 21.7 version installation.
  5. Follow these steps to upgrade: https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Get_started_with_ConnectWise_Control_On-Premise/Upgrade_an_on-premises_installation

Partners who do not wish to upgrade can remediate this issue by removing the global permission RunCommandOutsideSession from AllSessionGroups and applying it only to Support and Access session types or groups as needed.

Documentation for how to modify roles is available in the University at this link:

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Administration_page/Security_page/Define_user_roles_and_permissions

Additional Info

https://home.connectwise.com/securityBulletin/60c8cc00508a120001cb6e77

Software Updates

Refer to the Remediation section