An SQL injection vulnerability has been identified in the ConnectWise Automate server component that processes incoming agent data. This vulnerability leads to remote code execution on any connected agents, including the server itself if the agent is present. The only authentication required to exploit the vulnerability is agent level, which is easily obtained on all non-patched servers that have not put the mitigation described below in place. Due to the severity I have only described portions of the vulnerability and not provided a POC. It is advised partners apply the provided patches as soon as possible regardless if the mitigation is in place.
Resources
- CVSS
- CVE-2020-14159
- Vendor Notice & Acknowledgement
- Vendor Patch & Mitigation Instructions
- Perch Security Write-Up (Enraged Duck)
Summary
- Risk: Critical
- Patched: Yes
- CVE ID: CVE-2020-14159
- Complexity: Medium-Low
- Affected Versions: 2020.5 and all prior
- Vulnerability Type: SQL Injection, Remote Code Execution
CVSS v3.1 Scoring
- CVSS Base Score: 10.0
- Impact Subscore: 5.8
- Exploitability Subscore: 3.9
- CVSS Temporal Score: 9.5
- CVSS Environmental Score: 9.5
- Modified Impact Subscore: 6.1
- Overall CVSS Score: 9.5
Timeline
-
2020/05/16
- alleged reports to vendor about compromises
- logs indicate attacks began on this day
-
2020/06/05
- first public report of partner being compromised
-
2020/06/08
- logs used to confirm attacks used vulnerability
- POC and mitigation details sent to the vendor
- CVE reservation request sent to Mitre
-
2020/06/09
- reserved CVE ID sent to vendor
-
2020/06/10
- vendor acknowledges vulnerability on website
- vendor issues mitigation instructions
- vendor applies mitigation to cloud partners
- vendor begins releasing patches for vulnerability
-
2020/06/15
- CVE-2020-14159 published by Perch Security
-
2020/06/17
- partial vulnerability details disclosed
Mitigation
The mitigation involves blocking outside access to the deployment.aspx
endpoint. This endpoint is required to gain information needed to begin communication with the server as an agent. The block can be put in place using several methods.
-
IIS Deny Sequence
- Open IIS Manager > Sites > Default Site > LabTech.
- Open the Request Filtering option and choose the URL tab.
- Choose Deny Sequence in the action menu and enter
deployment.aspx
.
- NGINX Location Block
location ~* ^/labtech/deployment.aspx {
allow allowed.public.ip.1;
allow allowed.public.ip.2;
deny all;
proxy_pass https://your.automate.server;
}
Details
In order to exploit this vulnerability the attacker must establish agent communication and send a crafted HTTP request including the SQL to the agent endpoint. There are no restrictions to the injected SQL as it is executed by the MySQL root user.
- Example PowerShell Request Body
$requestBody = @{
"0" = "1"
"max0" = "0.1"
"min0" = "0.1"
"sm0" = "0.1"
"0i0v" = "0.1"
"0i0d" = "foo','1/1/2000 12:00:00 AM'); ${sql}; # -- "
}
- Example IIS Log Entries
2020-05-16 22:07:30 /Labtech/Deployment.aspx LINUX=3 443 - X.X.X.X Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:76.0)+Gecko/20100101+Firefox/76.0 - 200 0 0 660
2020-05-16 22:07:30 /Labtech/Deployment.aspx LINUX=3 443 - X.X.X.X Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:76.0)+Gecko/20100101+Firefox/76.0 - 200 0 0 660
2020-05-16 22:08:01 /LabTech/Agent.aspx 10=&0c1= 443 - X.X.X.X RestSharp/106.0.0.0 - 200 0 0 490
2020-05-16 22:08:05 /LabTech/Agent.aspx i=1&c=22&l=3&p=4&AgentType=Type&CMD=10 443 - X.X.X.X RestSharp/106.0.0.0 - 200 0 0 366
2020-05-16 22:08:06 /LabTech/Agent.aspx i=1&c=22&l=3&p=4&AgentType=Type&CMD=10 443 - RestSharp/106.0.0.0 - 200 0 0 335