ConnectWise isn’t a vendor most Reg readers deal with directly, but the fact the company has just issued its first-ever security advisory deserves attention.
That’s because ConnectWise specialises in software that IT services providers use to manage your IT. The 38-year-old company is the dominant force in that market, meaning that if you work with a system integrator, managed services provider or other outsourcer there’s a decent chance that ConnectWise touches some of the tech your business relies on.
And that can be scary because if a bad actor can control a ConnectWise instance, they can control you. Which is just what happened in April 2019 when someone was able to access a ConnectWise instance used by Wipro and used it to plant ransomware at the outsourcer’s clients.
Phishing was the cause of that incident, rather than a bug. But ConnectWise found its security questioned again a month later after catching ransomware itself.
In early 2020 security consultancy Bishop Fox put the company under the microscope and found eight vulnerabilities in ConnectWise code. Responsible disclosure ensured those problems were tidied up before any unpleasantness and ConnectWise quickly improved its security skills and promised to do better and be more open with direct and indirect users alike.
Earlier this week ConnectWise revealed it’s found an API vulnerability in its “Automate” product, a remote monitoring and management suite pitched as offering “Unprecedented visibility into your clients' IT systems.”
ConnectWise says the flaw means “A remote authenticated user could exploit a vulnerability in a specific Automate API and execute commands and/or modifications within an individual Automate instance.”
Which is rather scary and earned the bug a CVSS score of 7.8, placing it in the middle of the “High” severity rating but nicely short of the 9.0 score needed for a critical bug.
Many ConnectWise users prefer its cloud services and those were patched, pronto. But there’s also an option to run Automate on-prem and ConnectWise has urged users of that product to patch promptly.
The Register imagines customers of service providers that use ConnectWise will do likewise, because it’s well understood that many attacks exploit the weakest link in a security chain. And right now ConnectWise is a weak link.
But at least it’s revealed that weakness and informed hands-on and indirect users alike. The company has promised it will also have RSS feeds of its bug reports up and running by the end of Q2 2020, which will help to apply automation to those notifications. And thus the world will potentially become just a little more secure. ®