Hanslovan‘s team started Tuesday morning to see if they could recreate the exploits, and discovered that in some cases they could. I would give it an 8 out of 10 on the severity rating.” “These are real vulnerabilities, found by real vulnerability researchers and our community could use a lot more of it … This could have allowed a hacker to gain remote access if they targeted the right administrator.
![connectwise desktop client connectwise desktop client](https://carlosthomas.net/blog/wp-content/uploads/2021/02/05-Essentials.png)
The channel usually doesn’t get this type of exposure because the types of people like Bishop Fox are usually working for the largest companies in the world,” said Kyle Hanslovan, CEO of Huntress Labs. “This is no-nonsense, high-quality offensive security research. “ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.”Īt CRN’s request, independent researchers at Huntress Labs, a provider of managed breach detection for MSPs, examined Bishop Fox’s vulnerability report to see if it accurately characterized the flaws that it claims to have found. “Within the next two weeks we will resolve a seventh item that is much lower in risk,” the company said. On January 21, 2020, ConnectWise said it again ran its own tests on “6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure.” With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.” “We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. “ConnectWise takes the security of our products and our partners very seriously,” the company said in the statement. We certainly did.”ĬonnectWise in a statement provided to CRN said that both it and Bishop Fox “agreed that no active exploits had occurred from these potential vulnerabilities.”
![connectwise desktop client connectwise desktop client](https://images.g2crowd.com/uploads/attachment/file/80338/Control-HostClient-Misc.jpg)
That doesn’t mean we didn’t take them seriously. “They provided conceptual ideas of how they might be exploited, but they wouldn’t or couldn’t provide us with any specific examples. “The vulnerabilities they reported to us didn’t really provide a proof of exploitation,” he said. If RMM tools are not architected or configured properly, MSPs can expose themselves and their customers to a “whole bunch of different security concerns,” said Wood.ĬonnectWise Director of Security Tom Greco Tuesday told CRN that ConnectWise’s engineers have patched 75 percent of the flaws that Bishop Fox identified, despite its difficulty in reproducing them. The “attack chaining” can result in either “forgery vulnerabilities” on the ConnectWise Control server or a client desktop breach that opens the door to the “endpoint” device itself, according to Bishop Fox, which bills itself as the largest private services firm focused on “offensive security testing.”ĬonnectWise Control is among the most popular MSP tools, with at least 100,000 users managing millions of endpoints around the globe, according to ConnectWise.īishop Fox indicated that it is also looking for potential security flaws in other remote monitoring and management tools for MSPs.
![connectwise desktop client connectwise desktop client](https://media.itpro.co.uk/image/upload/s--X-WVjvBW--/f_auto,t_content-image-full-desktop@1/v1570817229/itpro/2018/10/connectwise_control_6.7_.jpg)
We call them basically attack chaining,” said Wood.
![connectwise desktop client connectwise desktop client](https://metaeagle.co.uk/wp-content/uploads/2020/03/Screen-Shot-2020-03-18-at-1.05.53-PM.png)
“The flaws in general, they’re serious in their own right, but when you start taking a look at chaining the vulnerabilities together.
Connectwise desktop client code#
The eight flaws named by Bishop Fox are: cross-site scripting, CORS (Cross-Origin Resource Sharing) misconfiguration, cross-site request forgery, information disclosure, remote code execution, user enumeration, missing security headers and insecure cookie scope. He deemed them severe enough to rate them as critical, and the attack chain so bad that we had to report them,” Bishop Fox Associate Vice President of Consulting Daniel Wood told CRN.Ĭhaining the vulnerabilities “would allow an attacker to execute arbitrary code on a victim’s Control server, as well as gain control of any client machines connected to a victim’s Control instance,” according to a post from Bishop Fox on what it calls the ConnectWise Critical (Zero-Day) Vulnerability Disclosure. “One of our security researchers found these vulnerabilities. Using multiple security flaws in ConnectWise Control, hackers could create an “attack chain” that gives cyber-criminals the ability to hijack an MSP’s systems as well as their customers’ devices, security consultant Bishop Fox plans to announce Wednesday.