Comprehensive software reviews to make better IT decisions
Bishop Fox Discovers Eight Vulnerabilities in ConnectWise: Patching a Managed Service Provider
Cybersecurity firm Bishop Fox identified eight vulnerabilities in ConnectWise鈥檚 remote control and remote access software. Bishop Fox, with additional confirmation by threat-hunting organization Huntress Labs, found the vulnerabilities in September of 2019. Until last week, Bishop Fox kept the vulnerabilities confidential, giving ConnectWise the time to make the necessary adjustments as per Bishop Fox鈥檚 vulnerability disclosure model.
|
|
|
|
Source: , Accessed January 28th, 2020 |
Source: , Accessed January 28th, 2020 |
While includes a full timeline of the events, the vulnerabilities may have existed prior to the dates identified. By chaining a combination of the eight vulnerabilities, an attacker could execute arbitrary code on a target's Control Server. Through this, they could gain control of additional machines connected to the target's Control instance.
According to Bishop Fox, while ConnectWise has released several updates since the initial September disclosure to the company, 鈥, and .鈥
Eight vulnerabilities were outlined in the Bishop Fox report:
|
Discovered Vulnerability |
Associated Risk Level |
|
Cross-Site Request Forgery (CSRF) |
Critical Risk |
|
Cross-Site Scripting (XSS) |
High Risk |
|
Cross-Origin Resources Sharing Management (CORS) |
High Risk |
|
Remote Code Execution |
High Risk |
|
Information Disclosure |
Medium Risk |
|
User Enumeration |
Low Risk |
|
Missing Security Headers |
Low Risk |
|
Insecure Cookie |
Low Risk |
To confirm Bishop Fox鈥檚 findings, Huntress Labs was contacted to conduct testing on ConnectWise. Both Huntress Labs and Bishop Fox came to the same conclusion about the compromised security status of ConnectWise. In direct response to the Bishop Fox report, ConnectWise released its own internal evaluation, . ConnectWise is working on addressing the vulnerabilities outlined within the Bishop Fox report.
Our Take
Software bugs are common to many programs, and even the best-maintained programs will find themselves running into problems. It will be more important to see what ConnectWise pursues as its next step. It is promising to see that the vendor conducted an inquiry into the vulnerabilities through a third-party consulting firm. By using GuidePoint to conduct a white hat analysis of its programs, ConnectWise can map the GuidePoint investigation with the report released by Bishop Fox to plan its path forward.
Furthermore, ConnectWise launched a security alert website. This site helps its Of the eight identified vulnerabilities, ConnectWise has addressed six currently and announced the progress through the site. It is currently working at addressing the final two vulnerabilities and has outlined the steps it plans to take.
While there is contention between the stories of Bishop Fox and ConnectWise on the timeline of the events, the results from ConnectWise are action-oriented and dedicated to addressing the problems.
Info-Tech鈥檚 SoftwareReviews has collected user reviews on ConnectWise and its Automate program. Check out the full report to see how other users have rated ConnectWise and their experiences with the company. Additionally, learn how to better assess vendors with the help of Info-Tech.
Want to Know More?
ConnectWise Automate at SoftwareReviews
Develop and Implement a Security Incident Management Program