Critical Vulnerabilities in ConnectWise ScreenConnect, PostgreSQL JDBC, and VMware EAP (CVE-2024-1597, CVE-2024-22245)
ConnectWise has addressed a CVSS 10 vulnerability in its ScreenConnect product, a desktop and mobile support software providing fast and secure remote access solutions.
In addition to the critical vulnerability, ConnectWise also patched a high-severity path traversal vulnerability (CVSS: 8.4) in the same product, which attackers with high privileges can exploit.
ConnectWise has stated that the vulnerabilities were reported on February 13; they have yet to be assigned with CVE identifiers at the time of publishing.
Details of the Latest ScreenConnect Vulnerabilities
The critical vulnerability stems from an authentication bypass weakness, which attackers can exploit to gain access to confidential data or perform Remote Code Execution (RCE), without requiring user interaction.
Users are warned that all servers running ScreenConnect 23.9.7 and prior are vulnerable and require patching.
Is There A PoC Available for the ScreenConnect Vulnerability? What Is the Scope?
Researchers have already developed a Proof-of-Concept (PoC) exploit capable of exploiting the vulnerabilities and bypassing authentication on ScreenConnect servers.
Further concerning, a Shodan search reveals over 8,000 results for ScreenConnect servers accessible over the internet.
Shodan results for ScreenConnect servers
Given that ScreenConnect is a remote access solution, it is a highly sought-after target. With a PoC now available, exploitation attempts of the vulnerability are expected to occur imminently. In fact, ConnectWise, in its advisory, has most recently reported receiving updates of compromised accounts and shared Indicators of Compromise (IoCs) related to attempted exploitations of the ScreenConnect vulnerabilities.
Here are the IP addresses observed in attacks:
- 155.133.5[.]15
- 155.133.5[.]14
- 118.69.65[.]60
Administrators utilizing on-premise software are strongly advised to promptly update their servers to ScreenConnect version 23.9.8 to avoid exploitation of the vulnerabilities.
Use SOCRadar’s Vulnerability Intelligence to stay on top of hacker trends. Gain detailed information about identified vulnerabilities and easily determine whether any exploits have been detected for specific vulnerabilities.
SOCRadar’s Vulnerability Intelligence
Recent Vulnerability in PostgreSQL JDBC Driver Could Allow SQL Injection (CVE-2024-1597)
The PostgreSQL JDBC Driver, widely known as PgJDBC, is affected by a critical vulnerability with a maximum severity score of 10, for which a fix has been recently released.
The PostgreSQL JDBC Driver, written in Java, enables Java programs to establish connections to PostgreSQL databases using standard Java code that is independent of the database system.
CVE-2024-1597, the vulnerability affecting the driver, arises when the driver is used in a non-default configuration, allowing SQL injection attacks and even database takeovers.
Vulnerability card of CVE-2024-1597 (SOCRadar)
The vulnerability in the PostgreSQL JDBC Driver arises when the driver is used in PreferQueryMode=SIMPLE, a non-default configuration susceptible to SQL injection attacks in versions prior to the ones listed below:
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9
- 42.2.8
How Could Attackers Exploit the CVE-2024-1597 Vulnerability in the PostgreSQL JDBC Driver?
The exploitation of CVE-2024-1597 in the PostgreSQL JDBC Driver involves manipulating numeric and string placeholders in a query. An attacker can construct a payload that manipulates the parameterized query by inserting a numeric value placeholder, preceded by a minus sign, followed by a string value placeholder on the same line. This bypasses the protection mechanisms against SQL Injection, potentially allowing the attacker to gain control over a database.
This vulnerability poses a severe threat to the security of databases, potentially leading to the exposure and tampering of critical data, including customer and corporate information.
SOCRadar’s comprehensive vulnerability monitoring can proactively detect security issues in your organization’s assets and components.
The Attack Surface Management (ASM) module provides rapid insights into vulnerabilities that affect your assets, allowing you to take quick actions and better prioritize patching operations.
SOCRadar’s Attack Surface Management
VMware EAP Is Vulnerable to CVE-2024-22245 and CVE-2024-22250
VMware advised administrators to remove an authentication plugin that was deprecated in 2021. The reason for this development is that the plugin, named VMware Enhanced Authentication Plugin (EAP), was vulnerable to two unpatched vulnerabilities.
When using the VMware vSphere Client via a web browser, the VMware Enhanced Authentication Plugin (EAP) was used to enable direct login. VMware EAP is not a plugin for vCenter Server, ESXi, or Cloud Foundation, but rather a client plugin.
Details of the VMware EAP Vulnerabilities
Malicious actors can exploit the vulnerabilities, CVE-2024-22245 (CVSS: 9.6) and CVE-2024-22250 (CVSS: 7.8), to relay Kerberos service tickets and gain control of privileged EAP sessions.
VMware explains that attackers could deceive a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
Vulnerability card of CVE-2024-22245 (SOCRadar)
Additionally, due to CVE-2024-22250, a malicious actor with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.
Vulnerability card of CVE-2024-22250 (SOCRadar)
VMware currently has no evidence indicating that the security vulnerabilities have been exploited in the wild.
How to Fix the Vulnerabilities in VMware EAP? Are There Alternatives to the Plugin?
While the deprecated VMware EAP is not installed by default, administrators with the plugin installed must remove both the in-browser plugin (VMware Enhanced Authentication Plugin 6.7.0) and the Windows service (VMware Plugin Service) to address the CVE-2024-22245 and CVE-2024-22250 vulnerabilities.
VMware has published a security article offering guidance on removing the deprecated VMware EAP plugin. Additionally, administrators are encouraged to explore alternative authentication methods, such as Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, and Microsoft Entra ID.
For more information on these vulnerabilities, visit VMware’s official advisory.
