If your organization uses ConnectWise Control to remotely manage endpoints, this article should be very important to you.
According to professional services and security testing firm Bishop Fox, the firm discovered eight vulnerabilities when researching the ConnectWise Control product.
The firm has privately reached out to ConnectWise to inform them of the vulnerabilities of their popular remote management solution.
During the research process, we read in news reports that ConnectWise products had been exploited in a ransomware attack in Texas. Without knowing whether the attack was facilitated by the vulnerabilities we discovered, Bishop Fox separately reached out to the Federal Bureau of Investigation and the local Texas field office to provide details on the discovered vulnerabilities in case this information could be of use to the investigation into the ransomware incident.
According to Bishop Fox, the vulnerabilities could allow an attacker to execute arbitrary code on a victim’s Control service and gain control of client machines connected to a victim’s Control instance.
The vulnerabilities were confirmed by threat detection firm Huntress Labs.
Bishop Fox was unable to say whether or not the vulnerabilities were used to carry out the Texas ransomware attack.
According to CRN, ConnectWise has been tied to several 2019 security breaches, including the Wipro hack and another in August that resulted in 22 municipal websites in cities and towns across Texas.
In a statement provided to other media outlets like MSSP Alert, ConnectWise said it resolved six of the eight items Bishop Fox identified and will shortly resolve another that it deems a “much lower risk.”
The eighth item does not pose a credible threat, the company said.
Here’s the company’s full statement, as published on MSSP Alert:
“In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at firstname.lastname@example.org with any questions or to report any issues.”