Cybersecurity Threat Advisory 0045-21: Critical XXE Vulnerability Discovered in ConnectWise Automate
This month, it was discovered that ConnectWise Automate versions 2021.6.131 and prior are vulnerable to exploits that allow threat actors to remotely execute code and access confidential data by performing XML external entity (XXE) injection attacks. The severity of this vulnerability is considered critical and should be patched immediately on all affected systems.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Unpatched versions of ConnectWise Automate possess a weakly configured XML parser that does not properly validate user-supplied XML inputs, leaving the system vulnerable to XXE injection attacks.
With a weakly configured XML parser, an attacker may supply the system with a tainted XML input that causes the system to echo back the targeted data—often located in commonly named paths that may be easily guessed by an attacker, such as “file:///etc/passwd” in Unix-based systems—in the form of an error message. This can expose passwords, personally identifiable information (PII), and other confidential data that may be sold or used by the attacker to gain a foothold into the organization’s broader systems. XXE injections can also be used for denial of service (DOS) attacks, server-side request forgery (SSRF), and port scanning.
WHY IS IT NOTEWORTHY?
ConnectWise Automate is a key enterprise product for many Managed Services Providers. An XXE attack on an MSP’s unpatched instance of ConnectWise Automate can lead to the disclosure of confidential data and broad damage of infrastructure, severely impacting the activities of both the MSP and its customers.
WHAT IS THE EXPOSURE OR RISK?
ConnectWise Automate versions 2021.6.131 and prior are vulnerable to XXE attacks. Threat actors can use these attacks as the first step in a full-scale systems compromise—damaging infrastructure, exposing confidential data, and causing the targeted organization to suffer lost business and costly compliance violations.
WHAT ARE THE RECOMMENDATIONS?
If you have a cloud instance of ConnectWise Automate, no action is required. Cloud instances have already been patched. If your business has an on-premise instance, you should deploy the following patch, 18.104.22.168, as soon as possible: https://cwa.connectwise.com/release/2021/Patches/AutomatePatch_22.214.171.124.exe
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.