Bishop Fox — the largest private professional services firm focused on offensive security testing — says it discovered and disclosed the vulnerabilities to ConnectWise in September 2019 before disclosing the alleged issues publicly today. The alleged back-and-forth between Bishop Fox and ConnectWise is documented in this CRN article.
At CRN’s request, Huntress Labs also took a look at the alleged vulnerabilities. Huntress Labs is a well-known threat hunting organization that also works closely with MSPs. In a follow-up blog, Huntress Labs says it validated Bishop Fox’s findings about ConnectWise Control.
MSSP Alert reached out to ConnectWise for comment. The software company offered this statement:
“In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.
Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.
ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.
On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.
ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at firstname.lastname@example.org with any questions or to report any issues.”