ConnectWise has remedied a critical vulnerability rated CVSS 10 in its ScreenConnect product, a desktop and mobile support software that offers fast and secure remote access solutions.
ConnectWise has addressed a high-severity path traversal vulnerability (CVSS: 8.4) in its ScreenConnect product, alongside the critical vulnerability. These vulnerabilities were reported on February 13 but have not yet been assigned CVE identifiers as of now.
All about the Vulnerability in ConnectWise
All servers running ScreenConnect 23.9.7 and prior versions are vulnerable to an authentication bypass weakness, allowing attackers to gain access to confidential data or execute Remote Code Execution (RCE) without user interaction. It is imperative for users to apply the necessary patches to mitigate this critical vulnerability.
Researchers have already developed a Proof-of-Concept (PoC) exploit capable of leveraging the vulnerabilities to bypass authentication on ScreenConnect servers.
Moreover, a Shodan search has uncovered over 8,000 ScreenConnect servers accessible via the internet, raising further concerns about potential exploitation.
As ScreenConnect serves as a remote access solution, it presents a prime target for malicious actors. With the availability of a Proof-of-Concept (PoC), exploitation attempts on the vulnerability are anticipated to happen imminently. ConnectWise, in its advisory, has recently reported receiving updates of compromised accounts and shared Indicators of Compromise (IoCs) linked to attempted exploits targeting ScreenConnect vulnerabilities.
Below are the observed IP addresses involved in attacks:
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
Administrators using on-premise software are strongly urged to promptly update their servers to ScreenConnect version 23.9.8 to prevent exploitation of the vulnerabilities.
Recent Vulnerability in PostgreSQL JDBC Driver Could Allow SQL Injection (CVE-2024-1597)
The PostgreSQL JDBC Driver, commonly referred to as PgJDBC, has been identified with a critical vulnerability rated at the highest severity score of 10. This vulnerability, designated as CVE-2024-1597, poses a significant risk as it allows for SQL injection attacks and potential takeovers of the database. The vulnerability arises when the driver is utilized in a non-default configuration.
PgJDBC, written in Java, serves as a bridge between Java applications and PostgreSQL databases, enabling the establishment of connections using standard Java code that remains independent of the underlying database system. Fortunately, a fix for this vulnerability has been recently released.
The vulnerability in the PostgreSQL JDBC Driver occurs when the driver is employed in a non-default configuration known as PreferQueryMode=SIMPLE. This configuration, found in versions prior to the following, is susceptible to SQL injection attacks:
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9
- 42.2.8
VMware EAP Is Vulnerable to CVE-2024-22245 and CVE-2024-22250
VMware has recommended administrators to uninstall an authentication plugin that has been deprecated since 2021. This step was taken due to two unpatched vulnerabilities found in the plugin, known as VMware Enhanced Authentication Plugin (EAP).
The VMware Enhanced Authentication Plugin (EAP) was utilized for direct login when accessing the VMware vSphere Client via a web browser. It’s important to note that VMware EAP serves as a client plugin and is not associated with vCenter Server, ESXi, or Cloud Foundation.
Malicious actors can exploit the vulnerabilities, CVE-2024-22245 (CVSS: 9.6) and CVE-2024-22250 (CVSS: 7.8), to relay Kerberos service tickets and seize control of privileged EAP sessions.
According to VMware, attackers could manipulate a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
Furthermore, CVE-2024-22250 allows a malicious actor with unprivileged local access to a Windows operating system to hijack a privileged EAP session initiated by a privileged domain user on the same system.
VMware currently has no evidence indicating that the security vulnerabilities have been exploited in the wild.
Recommendation
Although the deprecated VMware EAP is not installed by default, administrators with the plugin installed must remove both the in-browser plugin (VMware Enhanced Authentication Plugin 6.7.0) and the Windows service (VMware Plugin Service) to address the CVE-2024-22245 and CVE-2024-22250 vulnerabilities.
VMware has published a security article providing guidance on removing the deprecated VMware EAP plugin. Additionally, administrators are encouraged to explore alternative authentication methods, such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft En.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment