Want relief keeping up with product patching, upgrades, and more? Learn how our Managed Services for law firms can help you.
ACTION REQUIRED:
Critical ScreenConnect Vulnerabilities (CVE-2024-1709 & CVE-2024-1708)
Feb 22, 2024
Please see ConnectWise Vulnerabilities below.
ConnectWise ScreenConnect
Authentication Bypass Using an Alternate Path or Channel vulnerability
ConnectWise ScreenConnect 23.9.7 and prior are affected by an authentication bypass using an alternate path or channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Improper limitation of a pathname to a restricted directory (“path traversal”) Vulnerability
ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
Recommended Action
ConnectWise highlights the essential need to respond quickly to reported vulnerabilities, adding, “On-premise partners are advised to immediately upgrade to the latest version of ScreenConnect to remediate against reported vulnerabilities.”
Whereas Cloud partners are remediated against both vulnerabilities reported on February 19.
This suggestion emphasizes the need to take immediate action to protect the security and integrity of ScreenConnect servers for on-premise partners. Additionally, ConnectWise announces the release of ScreenConnect version 23.9.10.8817, which includes several changes targeted at improving the customer experience and resolving the identified vulnerabilities. ConnectWise has also announced the elimination of licensing restrictions, allowing partners not under maintenance to upgrade to the most recent version of ScreenConnect without restriction, demonstrating their commitment to facilitating access to vital security advancements for all partners.
Original Sources
- https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709
- https://www.logpoint.com/en/blog/emerging-threats/screenconnect-authentication-bypass
Contact Cornerstone.IT for assistance with this or any other technology or security needs.