SYSWARDEN

ConnectWise Automate: SQLi/RCE Vulnerability

Jesse Connor, Wed Jun 17 2020

An SQL injection vulnerability has been identified in the ConnectWise Automate server component that processes incoming agent data. This vulnerability leads to remote code execution on any connected agents, including the server itself if the agent is present. The only authentication required to exploit the vulnerability is agent level, which is easily obtained on all non-patched servers that have not put the mitigation described below in place. Due to the severity I have only described portions of the vulnerability and not provided a POC. It is advised partners apply the provided patches as soon as possible regardless if the mitigation is in place.

Resources

Summary

  • Risk: Critical
  • Patched: Yes
  • CVE ID: CVE-2020-14159
  • Complexity: Medium-Low
  • Affected Versions: 2020.5 and all prior
  • Vulnerability Type: SQL Injection, Remote Code Execution

CVSS v3.1 Scoring

  • CVSS Base Score: 10.0
  • Impact Subscore: 5.8
  • Exploitability Subscore: 3.9
  • CVSS Temporal Score: 9.5
  • CVSS Environmental Score: 9.5
  • Modified Impact Subscore: 6.1
  • Overall CVSS Score: 9.5

Timeline

  • 2020/05/16

    • alleged reports to vendor about compromises
    • logs indicate attacks began on this day
  • 2020/06/05

    • first public report of partner being compromised
  • 2020/06/08

    • logs used to confirm attacks used vulnerability
    • POC and mitigation details sent to the vendor
    • CVE reservation request sent to Mitre
  • 2020/06/09

    • reserved CVE ID sent to vendor
  • 2020/06/10

    • vendor acknowledges vulnerability on website
    • vendor issues mitigation instructions
    • vendor applies mitigation to cloud partners
    • vendor begins releasing patches for vulnerability
  • 2020/06/15

    • CVE-2020-14159 published by Perch Security
  • 2020/06/17

    • partial vulnerability details disclosed

Mitigation

The mitigation involves blocking outside access to the deployment.aspx endpoint. This endpoint is required to gain information needed to begin communication with the server as an agent. The block can be put in place using several methods.

  • IIS Deny Sequence

    1. Open IIS Manager > Sites > Default Site > LabTech.
    2. Open the Request Filtering option and choose the URL tab.
    3. Choose Deny Sequence in the action menu and enter deployment.aspx.
  • NGINX Location Block
location ~* ^/labtech/deployment.aspx {
  allow allowed.public.ip.1;
  allow allowed.public.ip.2;
  deny all;
  proxy_pass https://your.automate.server;
}

Details

In order to exploit this vulnerability the attacker must establish agent communication and send a crafted HTTP request including the SQL to the agent endpoint. There are no restrictions to the injected SQL as it is executed by the MySQL root user.

  • Example PowerShell Request Body
$requestBody = @{
    "0" =  "1"
    "max0" =  "0.1"
    "min0" = "0.1"
    "sm0" = "0.1"
    "0i0v" = "0.1"
    "0i0d" = "foo','1/1/2000 12:00:00 AM'); ${sql}; # -- "
}
  • Example IIS Log Entries
2020-05-16 22:07:30 /Labtech/Deployment.aspx LINUX=3 443 - X.X.X.X Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:76.0)+Gecko/20100101+Firefox/76.0 - 200 0 0 660
2020-05-16 22:07:30 /Labtech/Deployment.aspx LINUX=3 443 - X.X.X.X Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:76.0)+Gecko/20100101+Firefox/76.0 - 200 0 0 660
2020-05-16 22:08:01 /LabTech/Agent.aspx 10=&0c1= 443 - X.X.X.X RestSharp/106.0.0.0 - 200 0 0 490
2020-05-16 22:08:05 /LabTech/Agent.aspx i=1&c=22&l=3&p=4&AgentType=Type&CMD=10 443 - X.X.X.X RestSharp/106.0.0.0 - 200 0 0 366
2020-05-16 22:08:06 /LabTech/Agent.aspx i=1&c=22&l=3&p=4&AgentType=Type&CMD=10 443 -  RestSharp/106.0.0.0 - 200 0 0 335

Subscribe for Updates