forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
connectwise_screenconnect_vulnerabilities.yml
22 lines (22 loc) · 1.68 KB
/
connectwise_screenconnect_vulnerabilities.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: ConnectWise ScreenConnect Vulnerabilities
id: fbee3185-748c-40d8-a60c-c2e2c9eb738b
version: 1
date: '2024-02-21'
author: Michael Haag, Splunk
description: This analytic story provides a comprehensive overview of the ConnectWise ScreenConnect vulnerabilities.
narrative: The following analytic story includes content for recently disclosed CWE-288 Authentication Bypass and CWE-22 Path Traversal. The vulnerabilities, identified as critical with CVSS scores of 10 and 9.8, respectively, enable unauthorized users to bypass authentication and perform path traversal attacks on affected ScreenConnect instances. The analytic story includes detection analytics for both vulnerabilities, which are crucial for identifying and responding to active exploitation in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issues, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers. The analytic story also includes guidance on how to implement the detection analytics, known false positives, and references to additional resources for further analysis and remediation.
references:
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection
cve:
- CVE-2024-1708
- CVE-2024-1709