High
CVE-2024-1708
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-1708
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker
the ability to execute remote code or directly impact confidential data or critical systems.
Source for Ransomware attack observation: https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
CVE-2024-1708 is a path traversal vulnerability affecting ConnectWise ScreenConnect. A technical analysis is available here.
The vulnerability occurs when installing a new extension (i.e. a plugin) on a vulnerable ScreenConnect target. An extension is delivered as a ZIP file, and an authenticated administrator can install a new extension by making a HTTP POST request to the /Services/ExtensionService.ashx/InstallExtension
endpoint, supplying the contents of the ZIP as part of the request.
By default new extensions are stored in the folder C:\Program Files (x86)\ScreenConnect\App_Extensions\
on Windows, and /opt/screenconnect/App_Extensions/
on Linux. An extension will be identified on the system using a GUID, and will reside in the App_Extensions
folder under a new folder named with the GUID value of the extension.
When installing a new extension, ScreenConnect extracts the contents of a ZIP file to the extensions GUID folder in the App_Extensions
folder. However, ZIP file extraction honors double dot path segments (e.g. \..\
on Windows, or /../
on Linux), allowing arbitrary files held in the ZIP file to be extracted to arbitrary locations on the target system due to path traversal.
When writing the Metasploit exploit for CVE-2024-1709, I leveraged CVE-2024-1708, to write an attacker controlled ASHX (a form of ASP.NET) payload to the App_Extensions
folder.
CISA rated this vulnerability with a CVSS score of 8.4 (High). Notably, their rating sets the User Interaction
to be Required
, and the Scope
to be Changed
. Based on my writing of the Metasploit exploit module, user interaction is not required. Additionally, the scope is not changed through this vulnerability, as this vulnerability is authenticated, and requires an attacker to already have administrator privileges, for example, via CVE-2024-1709. The vulnerability that gets an attacker administrator privileges (i.e. CVE-2024-1709) should be mark the Scope
as Changed
. A rating of 7.2 (High) would seem to better reflect the impact of CVE-2024-1708.
I have rated the exploitability of CVE-2024-1708 as Very High, as the steps to exploit the path traversal are both easy to perform and reliable in practice. I have rated the attacker value as High and not Very High, as this vulnerability requires authentication.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- connectwise
Products
- screenconnect
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: