An MSP has discovered two critical vulnerabilities in ConnectWise Automate that posed threats to MSPs and their customers if successfully exploited by hackers.

On-premises ConnectWise Automate customers could still be in danger if they haven’t yet patched.

According to ConnectWise’s latest security bulletins, a vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to make modifications within an individual Automate instance. Each time a program runs, it is an instance of that program.

In addition, a vulnerability exists in an Automate API that could potentially allow a remote user to execute arbitrary tasks, such as update data on a database, or retrieve data from a database, against an individual Automate instance.

Both vulnerabilities affect on-premises and cloud-based versions of the product.

Potential Impact

Jason Slagle, vice president of technology at CNWR, a Toledo, Ohio,-based MSP, discovered the flaws.

CNWR’s Jason Slagle

“The discovery was made by doing a review of the server side Automate code,” he said. “They are different from the vulnerabilities discovered last month; however, those vulnerabilities are what caused me to review.”

Utilizing the two vulnerabilities, full control of any computer in the Automate instance is possible, Slagle said. If the Automate server manages itself, it could also be compromised, he said.

“Exploited successfully, admin access can be granted to the Automate instance,” he said. “ConnectWise has done a good job at remediating the issues I sent them. They also remediated several other places in the code that were somewhat suspect after I had a call with them. I’m confident and have tested that the fixes in place resolve the issues I sent them.”

That said, partners who have not patched are very much at risk, Slagle said.

“As best as I’ve been able to work out, there is no workaround for the vulnerability,” he said. “One of the reasons I’m not releasing much information on the authentication bypass is the risk to unpatched partners. As MSPs, we’re trusted by our partners to manage their systems, and if we’re not paying attention to our own things, that’s a shame. ConnectWise has had an active campaign to work with partners to upgrade and have even offered a free patch to 2019.12 for partners who don’t even have support.”

Remediation Work

Tom Greco is ConnectWise‘s director of information security. He said after Slagle disclosed the vulnerabilities, they began working together on remediation.

ConnectWise’s Tom Greco

“And in under a week, we were able to develop the patches fully deployed to our cloud and send targeted communications urging on-premises partners to implement the patches as well,” he said. “Because this is responsibly disclosed, there’s no indication of any exploitation of these issues. But nonetheless, we took the pace as if there was because we always put the security of our partners as the top priority in all the decisions we make when we do remediation and communication on those remediations.”

ConnectWise can monitor the number of partners that have adopted the patches, Greco said. And that data gauges whether one needs to take additional action.

“We address these issues as quickly as possible,” he said. “We get the patches and the fixes out to our customers. We work with them directly to make sure that they’re safe, and then we time our disclosures in our bulletins such that they pose the least amount of risk to our partners.”

Companies providing remote monitoring and management (RMM) services are viewed as …

… prime targets by cybercriminals, he said.

“It’s the industry that were in and certainly the nature of any RMM product,” Greco said. “It’s a multiplier. If you can access one computer, that’s one thing. If you can access multiple computers as an attacker, then that’s better. So if you can figure out a way to do that with the fewest steps possible, that tends to be why attackers favor or seemingly target RMMs versus going after the myriads of end computers directly.”

Race Against Time

Kyle Hanslovan is Huntress Labs‘ CEO and co-founder. With vulnerabilities like this, it’s a race against time, he said. You must provide patches and fixes before hackers discover and exploit them.

Huntress Labs’ Kyle Hanslovan

“But that could go into another one of those situations that once information about this becomes public … then hackers can use that public information to work backward to exploit,” he said. “There actually is a pretty broad campaign right now going against ConnectWise Automate clients where hackers are doing reconnaissance, gathering information on these ConnectWise Automate customers, and even sometimes gathering information that would be useful in future attacks against them. All of that’s kind of transpired over the last month.”

MSPs typically lose 10-20% of their clients when they’re hit with ransomware, Hanslovan said.

“But the real risk is that they run of going out of business is when the lawsuits happen,” he said. “So the real responsibility is, you should proactively let your partners know you might have patched, but I’m showing you’re still not patched, so you need to rerun it again or try again because clearly something didn’t work. Maybe there’s more that vendors could be doing.”

To further detect and remediate flaws, ConnectWise will soon launch a bug bounty program and vulnerability disclosure program, Greco said.

“Both of those are aimed directly at bringing in a more formal way to be able to address things more thoroughly and quickly,” he said. “Anything that’s coming from the community, whether that’s partners or independent security researchers, you name it, that is absolutely part of it. Certainly you don’t rely on that solely, but every bit helps the layered security approach. And that goes right back to the point where you can never stop improving.”