Connectwise Screenconnect: High-risk code smuggling loophole

The remote desktop software Screenconnect from Connectwise contains a security vulnerability that allows attackers to inject and execute malicious code. The manufacturer is offering software updates to close the security leak.

Connectwise warns of the vulnerability in a security notice. A CVE vulnerability entry is missing so far, but the description reads that a so-called ViewState code injection vulnerability allows attackers to inject and execute malicious code; the risk assessment provides a CVSS value of 8.8, risk"high", and thus only just misses the classification as critical. Web forms in ASP.NET use ViewState to save and control the state of a web page. The system encodes the data required for this with Base64 and protects it with encryption using machine-wide keys.

Restrictions on exploitability

In order to gain access to these machine keys, attackers must first obtain elevated access rights, Connectwise explains further. If the machine keys are compromised, attackers can generate malicious ViewStates for the website and use them to execute malicious code from the network on the server.

The update to Screenconnect 25.2.4 or newer fixes the security leak and is available on the Connectwise download page. It simply deactivates ViewState and removes the dependencies on it. The security message also provides further information, for example on version checking or how to update on-premises systems with and without active maintenance. IT managers should apply the update quickly due to the severity of the vulnerability.

At the end of February 2024, criminals abused a vulnerability in Connectwise Screenconnect and used it to distribute ransomware. Proof-of-concept exploit code appeared on the internet shortly beforehand. However, the vulnerability had been classified as a critical risk with the highest rating of CVSS 10.0.

(dmk)