Observing a critical security flaw in its products, ConnectWise released a patch update for its Recover and R1Soft Server Backup Manager (SBM) on Friday.
The bug was due to an injection weakness and is termed a high-priority issue. With thousands of R1Soft servers exposed to the internet, ConnectWise warns that hackers may likely exploit it for their malicious cause.
Security Bug in ConnectWise MSP
ConnectWise, the software maker of Recover that enables system admins to manage unattended computers remotely, has a critical security bug that can allow an attacker to execute malicious code remotely.
The same has been done in the ConnectWise R1Soft Server Backup Manager (SBM) secure backup solution too, which is widely used for saving important data. The bug was discovered by Code White security researcher Florian Hauser and later detailed by Huntress Labs security researchers John Hammond and Caleb Stewart.
In their report, the researchers warned of hackers pushing ransomware to vulnerable R1Soft servers exposed on the Internet if they can exploit the vulnerability successfully. Performing a Shodan scan regarding this revealed that over 4,800 R1Soft servers are internet-exposed.
Whelp, wasn’t expecting this ConnectWise RCE to become public today. Guess we’ll publish on Monday how @HuntressLabs went from a researcher’s tweet to the ability to push ransomware through ~5,000 R1Soft servers that are exposed on Shodan. #staytuned https://t.co/HroDdZ5NYI pic.twitter.com/mHLu6zpwic
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022
This could turn as worse as Kaseya’s supply chain attack, considering that ConnectWise products are used for remote work management. ConnectWise described this issue as an “Improper Neutralization of Special Elements in Output Used by a Downstream Component” in its advisory.
Affected versions include the ConnectWise Recover 2.9.7 or earlier and R1Soft SBM v6.16.3 or earlier. While the company has automatically updated the ConnectWise Recover SBMs to v2.9.9 (patched version), the R1Soft users have to act manually.
The patch just dropped so I’d guess the majority of them are still vulnerable. I don’t believe there is any auto-updating functionality.
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022
ConnectWise mentioned v6.16.4 as the latest patched version of the R1Soft server backup manager, which was released just yesterday. Follow the R1Soft upgrade wiki for more details.
Though the company responded to this critical bug immediately, it’s unfortunate that it made the patch available on the weekend. With most of the IT teams on leave at weekends, hackers get plenty of time to launch their attacks with proper exploits.
