Subscribe To Our Daily Enewsletter:

ConnectWise Responds to Bishop Fox Remote Control Vulnerability Report

ConnectWise Control, a popular remote control software product in the MSP software community, contains eight vulnerabilities, cybersecurity consulting firm Bishop Fox asserts and Huntress Labs further validates.

ConnectWise says six of the vulnerabilities have been resolved; a seventh vulnerability will soon be resolved; and the eighth vulnerability poses no threat to partners and customers.

Updated January 25, 2020: ConnectWise has launched a public website to help partners track security alerts, fixes and more.

Bishop Fox —  the largest private professional services firm focused on offensive security testing — says it discovered and disclosed the vulnerabilities to ConnectWise in September 2019 before disclosing the alleged issues publicly today. The alleged back-and-forth between Bishop Fox and ConnectWise is documented in this CRN article.

At CRN’s request, Huntress Labs also took a look at the alleged vulnerabilities. Huntress Labs is a well-known threat hunting organization that also works closely with MSPs. In a follow-up blog, Huntress Labs says it validated Bishop Fox’s findings about ConnectWise Control.

ConnectWise Statement

MSSP Alert reached out to ConnectWise for comment. The software company offered this statement:

“In late September, ConnectWise received notification from a company known as Bishop Fox, an organization that operates as a consultant in the security space, stating they had identified vulnerabilities in ConnectWise Control. We had several conversations with Bishop Fox and asked for further information to assist in replicating their findings and thus facilitate any necessary improvements to our product.

Bishop Fox could not provide additional information as the attack chain for the exploits they outlined were conceptual. In addition, both Bishop Fox and ConnectWise agreed that no active exploits had occurred from these potential vulnerabilities.

ConnectWise takes the security of our products and our partners very seriously. We appreciated the insights and based on their report, we did our own internal research and evaluation and addressed the points they raised in their review. With an overabundance of caution, we resolved 6 of the 8 items Bishop Fox listed in their report by October 2, 2019.

On January 21, 2020, ConnectWise again ran our own tests on 6 of the 8 items referenced in the Bishop Fox report and we can affirm that they are secure. Within the next two weeks we will resolve a seventh item that is much lower in risk. ConnectWise takes the stance that the final item identified by Bishop Fox does not pose a credible threat to users of the product.

ConnectWise looks at security as a dynamic threat and will continue to work to optimize security for our partners and community. We encourage partners and colleagues to contact us at security@connectwise.com with any questions or to report any issues.”

Return Home

7 Comments

Comments

    Tom Fox:

    Sigh… This is extremely disappointing.

    I don’t fault ConnectWise for the security exploits in the software. While unfortunate, it is the reality of the software business.

    Where I do find fault is in how ConnectWise managed the issue. To recap:

    1. ConnectWise was were notified of the issue in September, 2019.
    2. ConnectWise was initially unresponsive to the researcher’s inquiries.
    3. When ConnectWise did respond, at some point shortly thereafter things became “contentious.” ConnectWise threatened legal action (From the CRN article: “A threat of defamation and libel did come up in that conversation.”)
    4. ConnectWise apparently patched some of these vulnerabilities in late September or early October.
    5. ConnectWise NEVER sent an advisory to their customers letting them know about the vulnerabilities and urging them to patch.
    6. It was only after the Bishop Fox report was released and CRN’s article was published that ConnectWise made any public statement about the vulnerabilities.
    7. ConnectWise has still not sent a formal advisory to their customer base.

    ConnectWise boasts that over 100,000 IT professionals use its software to manage millions of endpoints. They are arguably the leader in the PSA and RMM space.

    It is disturbing (other adjectives come to mind… absurd… disgusting… alarming… inconceivable) that ConnectWise would respond in the manner they did. It is criminal that they still have not formally notified their customer base that a patch is needed.

    The vulnerabilities are obscure and require a specific set of circumstances in order to exploit them. The risk is low, and 80% of the vulnerabilities have been mitigated. From the standpoint of fixing the problems, ConnectWise by all reports behaved admirably.

    Where they clearly fell down on the job was in notifying their customer base and exerting maximum effort to make sure their customers patched their systems.

    The threat landscape has evolved into something no IT professional could have imagined five years ago. We all have to do a much better job at securing our own infrastructure and that of our clients.

    And that includes ConnectWise most of all. As the leader in the space, their responsibilities to their customers, and their customer’s customers, is unquestioned.

    They need to make an announcement and apologize for their handling of this issue.

    And from Jason Magee on down, every person working at ConnectWise needs to make a personal commitment to do a better job of handling these situations when they come up.

    Joe Panettieri:

    Hey Tom: Thanks for your readership and outlining your concerns. I’ve received numerous emails from readers about the (1) Control security issues; (2) ConnectWise’s approach to security communications; and (3) the overall state of security in the MSP market.

    On the one hand, I appreciate ConnectWise’s PR team for sending me a comment about the situation. On the other hand, I’m disappointed information about the vulnerabilities and associated patches/fixes doesn’t appear to be documented or clearly communicated on the company’s own public-facing website or public blog(s). (If readers think I overlooked a URL please send it to me.)

    Here’s an example of what I’d expect, based on Oracle’s approach: https://www.oracle.com/security-alerts/

    Whether it’s a normal day or crisis day, there’s consistency: Oracle customers, security pros, partners and media know exactly where to go for the latest urgent alerts, patching directions, etc.

    -jp

    Don Bentz:

    I’ve been listening to a LOT of podcasts, security related over the last few months. This hits right where all the podcasts stories talk about. Microsoft and others have the same issues. “Do we speak of said vulnerability discovered now, later or ever?”. One side is letting the customers know what is going on, what was found and when it will be fixed. Then there is the “How this works, exploit wise”. This is the hard part as IF it’s publicized and not everything is patched, then hackers have a newly found method to use. If they don’t tell then again the unpatched are still available for hacking.

    To me the key question is, for the exploit, was anyone hurt? Was any data compromised? If no, which is more ethical, telling and disclosure or not telling and keeping possibly more safe.

    Just some pondering thoughts to chew on.

    Tom Fox:

    Hey DonnyB,

    I agree they should keep it under wraps until a work around or patch is available. But, once an update is available, they have a moral (ethical? legal?) obligation to notify their customer base. I like the way Joe explained that Oracle handles it. ConnectWise should do the same thing.

    I can only think of a few times that they ever made an announcement about a security issue and the need to patch, and one of them was after the Kaseya plugin vulnerability had already done some damage.

    ERS:

    @Tom Fox:

    I agree that Connectwise could have definitely handled this better from a PR / notification / optics perspective. And if their team did get adversarial with Bishop Fox, it would be interesting to hear their perspective as to how that conversation went (maybe an overly protective, uninformed, non-security intelligent exec?).

    I think from a technical perspective Connectwise’s response has been on point – quickly mitigated the majority of the vulnerabilities, and ignored (“accepted the risk”) the “nothing-burger” that Bishop Fox clearly over-stated the severity of. (Don’t get me wrong, most of Bishop Fox’s research was on point, and two of the vulnerabilities were clearly bad… the “critical” was anything but, from a practical exploitation/risk perspective, however).

    I wouldn’t call their lack of notification to customers “criminal” – there is definitely no legal obligation to notify customers of details of security vulnerabilities. That said, there is a rising level of expectation that companies will do so in a responsible manner. The fact is that ALL software has flaws – and some of those flaws result in security vulnerabilities. Identify them, resolve them, push a patch, notify your customers, (and if notified by an external party, give them credit/thanks), and then move on. Some companies are “embarrassed” by these kinds of situations, mostly through their lack of experience in them, and as a result they sometimes get overly defensive or “go silent” – they should take a look at the “big boys” – those experienced companies that are doing this right – and take a few pages from their playbooks on handling security notifications / disclosures.

    Overall, I hope that this has been a learning lesson for Connectwise on how to handle these types of events in the future, and I hope that they do better next time from a customer engagement / security transparency perspective. (Because there will definitely be a next time – as there is for all software.)

    -ERS

    Joe Panettieri:

    Hi Folks. An update. ConnectWise has launched a security-related site for all updates, alerts, etc. Bookmark this URL:

    https://www.connectwise.com/company/trust

    Best,
    -jp

    Jack Larson:

    It’s not surprising that someone may get upset with BishopFox. Their approach is to exploit software vulnerabilities and then sell their testing services at high price. Imagine an alarm company coming to your house, take pictures, and then threaten to make the data public unless you work with them. It’s obvious that they do not provide details because they want you to pay for their testing services.

Leave a Reply

Your email address will not be published. Required fields are marked *