‘If we were bad guys we could have reached out to all 5,000 servers and exploited all of them. And not just those individual servers themselves, but also any of the agents that they manage as well,’ Caleb Stewart, a security researcher with Huntress, tells CRN.
ConnectWise on Friday patched a critical software flaw that allowed Huntress researchers to use remote code and push ransomware into approximately 5,000 ConnectWise R1Soft servers.
A ConnectWise partner said the Tampa, Florida-based company remotely fixed the flaw, which is part of the firm’s backup and disaster recovery products.
Huntress CEO Kyle Hanslovan said on LinkedIn that uncovering the flaw began with a researchers’ tweet and snowballed into the “ability to push ransomware through ~5,000 R1 Soft servers.” He appeared caught off guard with ConnectWise announcing the critical flaw on a Friday.
“Whelp, wasn’t expecting this ConnectWise RCE to become public today. Guess we’ll publish on Monday how Huntress went from a researcher’s tweet to the ability to push ransomware through ~5,000 R1Soft servers that are exposed on Shodan,” Hanslovan said. “#StayTuned for some amazing work by Caleb Stewart and John Hammond!”
Stewart, who along with Hammond on Monday will demonstrate how they uncovered the exploit, told CRN their team tested the patch to see that it worked.
“What we were able to prove is that it was a full authentication bypass that you could use to exploit the server and get remote code execution, but because it’s a backup manager that manages a lot of other machines, other hosts, other agents – we could use that to get code execution on those registered agents, that the backup manager, managed,” Stewart told CRN on Friday.
CRN has reached out to ConnectWise for comment.
Once researchers paired that exploit with server search engine Shodan, Huntress found 5,000 unpatched servers it could take over without authentication and then execute remote code on those devices, as well as the machines they backed up.
“If we were the bad actors we could have reached out to all 5,000 servers and exploited all of them. And not just those individual servers themselves, but also any of the agents that they manage as well,” Stewart said. “Aside from proving it, the work we did helps because this patch came out and we were able to very quickly pull that patch down and install the patched version and test our implementation of the exploit.”
Mark Essayian, president of KME Systems, an Irvine, Calif.-based MSP, has been a ConnectWise partner for 15 years and also uses Huntress. He said his internal IT team told him they were alerted to the flaw by ConnectWise, which remotely patched it.
“It is solid improvement,” he said of the ConnectWise response. “Other vendors are not open to deal with. ConnectWise is saying, ‘If we’re broken, help us fix it.’ Everyone in the software business has to deal with the fact that humans created this stuff and it has flaws. When people acknowledge this, it changes the process.”
ConnectWise has been a persistent target for cybercrime since the company’s MSP operational platform can give crooks the ability to remotely access thousands of customers through a single solution provider. One such attack in 2019 exploited ConnectWise Control to ransom 22 school districts in Texas. Since then, the company has taken a more proactive security posture.
Stewart said the two companies were able to work together to solve this exploit quickly, which makes the entire ecosystem that much more secure.
“It’s great that we were able to find it and work closely with ConnectWise to figure it out,” he said. “It not only helped us with our customers and the people we are protecting, but being able to push that information back through ConnectWise to get a solution out as quickly is possible I think is great.”
Essayian said the change in ConnectWise begins with CEO Jason Magee.
“In my opinion this is coming from McGee,” Essayian said. “I think he has instilled a culture of, ‘Look, this is going to break and when it does let’s jump all over it to get it fixed. Let’s work with the resources we need to protect our partners. That’s not spinning. I’m not ‘Mr. Pro-ConnectWise.’ I get the feeling constantly now from ConnectWise that it’s ‘protect the partner.’ They get that we are under relentless attack.”
ConnectWise regularly posts security updates for users of its product on the company’s website. In the last two years, there were patches for three “critical” security flaws.
“When they protect the partner, it protects the customer,” Essayian said.