Menu
On-premises ConnectWise Automate customers could still be in danger if they haven’t yet patched.
An MSP has discovered two critical vulnerabilities in ConnectWise Automate that posed threats to MSPs and their customers if successfully exploited by hackers.
On-premises ConnectWise Automate customers could still be in danger if they haven’t yet patched.
According to ConnectWise’s latest security bulletins, a vulnerability exists in a ConnectWise Automate API that could potentially allow a remote user to make modifications within an individual Automate instance. Each time a program runs, it is an instance of that program.
In addition, a vulnerability exists in an Automate API that could potentially allow a remote user to execute arbitrary tasks, such as update data on a database, or retrieve data from a database, against an individual Automate instance.
Both vulnerabilities affect on-premises and cloud-based versions of the product.
Jason Slagle, vice president of technology at CNWR, a Toledo, Ohio,-based MSP, discovered the flaws.
CNWR’s Jason Slagle
“The discovery was made by doing a review of the server side Automate code,” he said. “They are different from the vulnerabilities discovered last month; however, those vulnerabilities are what caused me to review.”
Utilizing the two vulnerabilities, full control of any computer in the Automate instance is possible, Slagle said. If the Automate server manages itself, it could also be compromised, he said.
“Exploited successfully, admin access can be granted to the Automate instance,” he said. “ConnectWise has done a good job at remediating the issues I sent them. They also remediated several other places in the code that were somewhat suspect after I had a call with them. I’m confident and have tested that the fixes in place resolve the issues I sent them.”
That said, partners who have not patched are very much at risk, Slagle said.
“As best as I’ve been able to work out, there is no workaround for the vulnerability,” he said. “One of the reasons I’m not releasing much information on the authentication bypass is the risk to unpatched partners. As MSPs, we’re trusted by our partners to manage their systems, and if we’re not paying attention to our own things, that’s a shame. ConnectWise has had an active campaign to work with partners to upgrade and have even offered a free patch to 2019.12 for partners who don’t even have support.”
Tom Greco is ConnectWise‘s director of information security. He said after Slagle disclosed the vulnerabilities, they began working together on remediation.
ConnectWise’s Tom Greco
“And in under a week, we were able to develop the patches fully deployed to our cloud and send targeted communications urging on-premises partners to implement the patches as well,” he said. “Because this is responsibly disclosed, there’s no indication of any exploitation of these issues. But nonetheless, we took the pace as if there was because we always put the security of our partners as the top priority in all the decisions we make when we do remediation and communication on those remediations.”
ConnectWise can monitor the number of partners that have adopted the patches, Greco said. And that data gauges whether one needs to take additional action.
“We address these issues as quickly as possible,” he said. “We get the patches and the fixes out to our customers. We work with them directly to make sure that they’re safe, and then we time our disclosures in our bulletins such that they pose the least amount of risk to our partners.”
Companies providing remote monitoring and management (RMM) services are viewed as …
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.