ConnectWise has patched a critical remote code execution (RCE) vulnerability in its ConnectWise Recover and R1Soft server backup manager technologies that could give attackers a way to compromise thousands of the company’s managed service provider (MSP) customers — and, in turn, their downstream clients.
In an alert Friday, ConnectWise said it had pushed out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and it urged customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4 it released on Friday.
“We have informed our [customers] of the fix and encouraged those with on-premises instances of the impacted product to install the patch as soon as possible,” Patrick Beggs, CISO of ConnectWise, says in comments sent to Dark Reading. For most organizations using ConnectWise Recover, no further action is required at this point to protect against the vulnerability, but “R1Soft is self-managed; we encourage these [customers] to apply the patch quickly,” he says.
ConnectWise said it discovered the bug after security vendor Huntress informed the company about the issue and showed proof-of-concept code demonstrating how attackers could exploit the vulnerability to take complete control of affected systems. The company described the bug as one involving “improper neutralization of special elements in output used by a downstream component.” The vulnerability exists in ConnectWise Recover v2.9.7 and earlier versions and R1Sof SBM v6.16.3 and earlier versions.
In an Oct. 31 blog post, researchers from Huntress described the issue as tied to an authentication bypass vulnerability (CVE-2022-36537) in a previous version of the ZK Java library, bundled with ConnectWise’s server backup manager technology. A researcher from Germany-based security vendor Code White GmbH was the first to discover the vulnerability in the ZK library and report it to the maintainers of the framework in May 2022. Another researcher from the same company discovered that ConnectWise’s R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to ConnectWise, Huntress said in its blog post. When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited, on Twitter.
Huntress’ researchers used the information in the tweet to replicate the vulnerability and refine the proof-of-concept. They found they could leverage the vulnerability to leak server private keys, software license information, system configuration files and eventually gain remote code execution in the context of a system superuser.
Huntresses’ researchers found they would gain code execution not just on vulnerable ConnectWise systems at MSP locations but all on all downstream registered endpoints. A Shodan scan showed more than 5,000 exposed ConnectWise server backup manager instances that were vulnerable to exploits. Considering that most of these systems were at MSP locations, the actual number of affected organizations is likely significantly higher, Huntress said.
Classic Software Supply Chain Threat
Caleb Stewart, security researcher at Huntress, says that the exploit chain that he and a trio of other researchers developed and reported to ConnectWise involved three main components: the original authentication bypass in the ZK library, RCE on the SBM, and RCE on connected clients.
According to Stewart, the researchers spent about three days on replicating the original vulnerability, and then reverse engineering the R1Soft application so it could be abused for a malicious purpose. Exploiting the vulnerability was complicated, Stewart says. “But [it was] feasible for someone to find and exploit in a matter of days if they knew what they were looking for.”
The vulnerability is another example of why developers and end customers need to be aware of security advisories for all software in their environment, Stewart says. “This is fundamentally a supply chain vulnerability — customer buys R1Soft SBM, which bundles ZK, which is vulnerable,” he says. “Once the severity was evident, I think ConnectWise did a great job at getting a patch out quickly.”
John Hammond, senior security researcher at Huntress and part of the team that analyzed the flaw, says the weaponized attack chain they developed could have a wide impact. “From an authentication bypass to full compromise, across not just one endpoint but a mass multiple, this is truly a ‘point-and-shoot’ exploit with the potential for widespread effects,” he says.
Beggs from ConnectWise did not directly respond to a Dark Reading question about why the company did not respond to the original disclosure of the flaw by the researcher at Code White. But one issue could have been the fact that the researcher did not disclose it via the company’s usual channel for submitting bug disclosures and security concerns.
“We have long vouched for our Trust Center as the most effective channel to submit security concerns,” he says, Queries submitted through other channels do not always get the attention they deserve, Beggs notes.
“In this case,” he adds, “Huntress did an admirable job of demonstrating just how dangerous this potential vulnerability could have been, treated the issue responsibly by showing it to us directly, and gave us time to update our products.”