Bishop Fox Discovers Eight Vulnerabilities in ConnectWise: Patching a Managed Service Provider
Cybersecurity firm Bishop Fox identified eight vulnerabilities in ConnectWise’s remote control and remote access software. Bishop Fox, with additional confirmation by threat-hunting organization Huntress Labs, found the vulnerabilities in September of 2019. Until last week, Bishop Fox kept the vulnerabilities confidential, giving ConnectWise the time to make the necessary adjustments as per Bishop Fox’s vulnerability disclosure model.
|
|
Source: Connectwise, Accessed January 28th, 2020 |
Source: Bishop Fox, Accessed January 28th, 2020 |
While Bishop Fox’s report includes a full timeline of the events, the vulnerabilities may have existed prior to the dates identified. By chaining a combination of the eight vulnerabilities, an attacker could execute arbitrary code on a target's Control Server. Through this, they could gain control of additional machines connected to the target's Control instance.
According to Bishop Fox, while ConnectWise has released several updates since the initial September disclosure to the company, “the only vulnerability that was addressed was the use enumeration vulnerability, and the release notes from ConnectWise make no mention of other identified security issues.”
Eight vulnerabilities were outlined in the Bishop Fox report:
Discovered Vulnerability |
Associated Risk Level |
Cross-Site Request Forgery (CSRF) |
Critical Risk |
Cross-Site Scripting (XSS) |
High Risk |
Cross-Origin Resources Sharing Management (CORS) |
High Risk |
Remote Code Execution |
High Risk |
Information Disclosure |
Medium Risk |
User Enumeration |
Low Risk |
Missing Security Headers |
Low Risk |
Insecure Cookie |
Low Risk |
To confirm Bishop Fox’s findings, Huntress Labs was contacted to conduct testing on ConnectWise. Both Huntress Labs and Bishop Fox came to the same conclusion about the compromised security status of ConnectWise. In direct response to the Bishop Fox report, ConnectWise released its own internal evaluation, as well as an evaluation from third-party consultant GuidePoint. ConnectWise is working on addressing the vulnerabilities outlined within the Bishop Fox report.
Our Take
Software bugs are common to many programs, and even the best-maintained programs will find themselves running into problems. It will be more important to see what ConnectWise pursues as its next step. It is promising to see that the vendor conducted an inquiry into the vulnerabilities through a third-party consulting firm. By using GuidePoint to conduct a white hat analysis of its programs, ConnectWise can map the GuidePoint investigation with the report released by Bishop Fox to plan its path forward.
Furthermore, ConnectWise launched a security alert website. This site helps its partners track security-related statements, patches, and compliance. Of the eight identified vulnerabilities, ConnectWise has addressed six currently and announced the progress through the site. It is currently working at addressing the final two vulnerabilities and has outlined the steps it plans to take.
While there is contention between the stories of Bishop Fox and ConnectWise on the timeline of the events, the results from ConnectWise are action-oriented and dedicated to addressing the problems.
Info-Tech’s SoftwareReviews has collected user reviews on ConnectWise and its Automate program. Check out the full report to see how other users have rated ConnectWise and their experiences with the company. Additionally, learn how to better assess vendors with the help of Info-Tech.
Want to Know More?
ConnectWise Automate at SoftwareReviews
Develop and Implement a Security Incident Management Program