Comprehensive Software Reviews to make better IT decisions

Sr hero 001 Sr hero 002 Sr hero 003 Sr hero 004

Bishop Fox Discovers Eight Vulnerabilities in ConnectWise: Patching a Managed Service Provider

Cybersecurity firm Bishop Fox identified eight vulnerabilities in ConnectWise’s remote control and remote access software. Bishop Fox, with additional confirmation by threat-hunting organization Huntress Labs, found the vulnerabilities in September of 2019. Until last week, Bishop Fox kept the vulnerabilities confidential, giving ConnectWise the time to make the necessary adjustments as per Bishop Fox’s vulnerability disclosure model.

Source: Connectwise, Accessed January 28th, 2020

Source: Bishop Fox, Accessed January 28th, 2020

While Bishop Fox’s report includes a full timeline of the events, the vulnerabilities may have existed prior to the dates identified. By chaining a combination of the eight vulnerabilities, an attacker could execute arbitrary code on a target's Control Server. Through this, they could gain control of additional machines connected to the target's Control instance.

According to Bishop Fox, while ConnectWise has released several updates since the initial September disclosure to the company, “the only vulnerability that was addressed was the use enumeration vulnerability, and the release notes from ConnectWise make no mention of other identified security issues.”

Eight vulnerabilities were outlined in the Bishop Fox report:

Discovered Vulnerability

Associated Risk Level

Cross-Site Request Forgery (CSRF)

Critical Risk

Cross-Site Scripting (XSS)

High Risk

Cross-Origin Resources Sharing Management (CORS)

High Risk

Remote Code Execution

High Risk

Information Disclosure

Medium Risk

User Enumeration

Low Risk

Missing Security Headers

Low Risk

Insecure Cookie

Low Risk

To confirm Bishop Fox’s findings, Huntress Labs was contacted to conduct testing on ConnectWise. Both Huntress Labs and Bishop Fox came to the same conclusion about the compromised security status of ConnectWise. In direct response to the Bishop Fox report, ConnectWise released its own internal evaluation, as well as an evaluation from third-party consultant GuidePoint. ConnectWise is working on addressing the vulnerabilities outlined within the Bishop Fox report.

Our Take

Software bugs are common to many programs, and even the best-maintained programs will find themselves running into problems. It will be more important to see what ConnectWise pursues as its next step. It is promising to see that the vendor conducted an inquiry into the vulnerabilities through a third-party consulting firm. By using GuidePoint to conduct a white hat analysis of its programs, ConnectWise can map the GuidePoint investigation with the report released by Bishop Fox to plan its path forward.

Furthermore, ConnectWise launched a security alert website. This site helps its partners track security-related statements, patches, and compliance. Of the eight identified vulnerabilities, ConnectWise has addressed six currently and announced the progress through the site. It is currently working at addressing the final two vulnerabilities and has outlined the steps it plans to take.

While there is contention between the stories of Bishop Fox and ConnectWise on the timeline of the events, the results from ConnectWise are action-oriented and dedicated to addressing the problems.

Info-Tech’s SoftwareReviews has collected user reviews on ConnectWise and its Automate program. Check out the full report to see how other users have rated ConnectWise and their experiences with the company. Additionally, learn how to better assess vendors with the help of Info-Tech.


Want to Know More?

ConnectWise Automate at SoftwareReviews

Develop and Implement a Security Incident Management Program

Build a Vendor Security Assessment Service

Design and Implement a Vulnerability Management Program