Running ConnectWise Automate on-prem? Fix this high-risk API vulnerability
ConnectWise has fixed a high-severity vulnerability affecting a ConnectWise Automate API and is urging users who run the solution on their premises to implement the provided hotfixes.
About ConnectWise Automate and the vulnerability
ConnectWise is a provider of business automation solutions for managed services providers (MSPs) and IT solution providers.
ConnectWise Automate is a software suite IT support technicians use to remotely monitor and manage customers’ assets (servers and workstations).
“A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance,” the company shared in a security bulletin. Effectively, this could allow attackers to do things like run commands on endpoints, create new users, etc.
The vulnerability affects on-premise and cloud instances of ConnectWise Automate versions 2020.5 and earlier.
ConnectWise has applied the hotfixes and hardening measures required to plug the security holes and is urging on-premise partners to do the same based on their Automate instance version.
Those who still use ConnectWise Automate versions 2019.11 or older are urged to implement provided mitigation steps and to update to a supported version.
ConnectWise has been working on the hotfixes since last week and has been releasing them up until Saturday. The first hotfixes were a temporary stopgap, so users are advised to peruse the security advisory and make sure to apply them all.
“To protect our customers, ConnectWise does not publicly disclose or confirm security vulnerabilities until ConnectWise has conducted an analysis of the product and has issued fixes and/or mitigations,” the company noted.
“Alternative tools and processes are used, where appropriate, when targeted or discrete communication with entitled customers is required.”
Earlier this year, BishopFox researchers flagged eight vulnerabilities in ConnectWise Control, the company’s remote control and access solution. Seven of the vulnerabilities were subsequently remediated and the successful remediation confirmed.
UPDATE (June 22, 2020, 5:15 a.m. PT):
The vulnerability is being actively exploited in the wild to deploy ransomware on ConnectWise partners’ systems. It also seems that the hotfixes provided to date do not block all vectors of attack.
ConnectWise is investigating the matter and will likely come up with new hotfixes soon, so ConnectWise Automate users should keep an eye out for security advisories and updates.