TL;DR

  • Agent validation could potentially be bypassed
  • No current workaround exists
  • User can authenticate as any computer in either probe communication or agent signup
  • Patched in 2020.7 and in a hotfix for 2019.12

Introduction

Connectwise Automate uses a method of hashing the computer password to generate authentication passwords for use in agent communication. Due to insufficient validation in the received passwords it is possible to bypass computer authentication. Due to the sensitive nature of this attack, information on the exact vulnerability and POC code will not be released. It has been passed to the vendor and a patch was released in the 2020.7 release and as a 2019.12 hotfix.

Summary

  • Risk: Critical
  • Patched: Yes
  • CVE: CVE-2020-15027
  • Complexity: Low
  • Type: Authentication Bypass

Scoring

  • CVSS 3.1 Base Score: 9.9
  • CVSS 3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H
  • CVSS 3.1 Temporal Score: 9.2
  • CVSS 3.1 Environmental Score: 9.3

Timeline

  • 2020-06-23
    • Detail provided to Connectwise
    • Vendor Acknowledges receipt
  • 2020-07-02
    • Patch released in 2020.7 and hotfix for 2019.12
  • 2020-07-16
    • Information on vulnerability released

Details

Connectwise Automate uses a hashing/encryption utilizing the local computer password to create a password utilized in agent communications. Weaknesses exist in the server side implementation of this password validation. Poor logging in the authentication method makes detection of exploitation difficult.

Due to the sensitive nature of this vulnerability, as well as the slow patch adoption rate of some partners, further specific details of the exploit path and POC code will not be provided.

Additional Resources