Critical ConnectWise Vulnerability Explained

ConnectWise Manage, a popular business management software used by many IT companies and MSPs, was found to have a serious vulnerability that could potentially allow attackers to execute arbitrary JavaScript code on victim’s browsers. This vulnerability was discovered by security researcher from Securityium Pentester and was assigned CVE-2017-11727.

 

Vulnerability Details:

ConnectWise Manage is a web-based business management software that allows businesses to manage their workflow and automate their processes. The vulnerability discovered in ConnectWise Manage allows attackers to execute arbitrary client-side JavaScript code on victim’s browser when they click on a specially crafted link. This can allow attackers to perform various malicious activities such as session ID and data theft, bypassing CSRF protections, injection of iframes to establish communication channels and more.

 

The vulnerability exists in the ‘actionMessage’ parameter which is used to pass JSON data to the server-side application. Attackers can manipulate this parameter to include malicious JavaScript code, which will then be executed by the victim’s browser.

 

Exploit Code:

The following exploit code can be used to exploit this vulnerability: https://<domain>.com/v4_6_release/services/system_io/actionprocessor/Contact.rails?actionMessage=%7b%22payload%22%3a%22%7b%5c%22companyRecId%5c%22%3a19383%7d%22%2c%22payloadClassName%22%3a%22GetCompanyNameAction%vcdj%3cscript%3ealert(1111)%3c%5c%2fscript%3ex9uwe%22%7d&clientTimezoneOffset=-420&clientTimezoneName=Pacific+Standard+Time

“`

Affected Component:

The vulnerability is present in the ‘actionMessage’ parameter which includes json parameters(ContactCommon) in ConnectWise Manage version v2017.5.

 

Severity Level:

This vulnerability has a high severity level as it can potentially allow attackers to execute arbitrary JavaScript code on victim’s browsers, leading to session ID and data theft, bypassing CSRF protections and more.

 

Disclosure Timeline:

The vulnerability was reported to Mitre on July 29, 2017, and was publicly disclosed on August 1, 2017.

 

Mitigation:

To mitigate this vulnerability, users of ConnectWise Manage are advised to update to the latest version of the software which has the necessary security patches applied. Users should also be cautious when clicking on links from untrusted sources and should enable browser security features such as Content Security Policy (CSP) to prevent the execution of malicious JavaScript code.

 

Conclusion:

The discovery of this vulnerability highlights the importance of regularly testing web applications for vulnerabilities and promptly applying necessary security patches to ensure the safety and security of sensitive data. Vulnerabilities such as CVE-2017-11727 can be exploited by attackers to perform various malicious activities and can have serious consequences for businesses and individuals alike.