ConnectWise Discloses Flaw In Welcome ‘About Face,’ Partners Say
‘No one is immune to security issues. You can take the avenue of trying to act like you don’t have problems and then make everybody skeptical, or you can disclose the problems that you’re aware of and take care to build that trust factor,’ says Zac Paulson, CEO of True IT, a ConnectWise partner.
ConnectWise partners praised the company’s first-ever security bulletin, saying it shows the organization has embraced the responsibility it has to its partners to fix and announce vulnerabilities when they are discovered.
“ConnectWise is following through on their promise to keep their partners secure,” said Mark Essayian, president of KME Systems, an MSP partner of ConnectWise in Lake Forest, Calif. “They are. I do believe that their executive management is looking at two things: this can put us out of business, and they have an ethical responsibility to their partners. I think both are in play.”
Tampa, Fla.-based ConnectWise on Wednesday announced on its “Trust” site that it had released a hotfix for an issue with an API in the cloud version of ConnectWise Automate. It also included a link to resources that partners with on-premise version of the product could use.
“ConnectWise is aware of a vulnerability in a ConnectWise Automate API that could potentially allow a remote user to execute modifications within an individual Automate instance. This affects on-premise and cloud based versions of the product,” the company stated on its website.
The move represents a commitment to more public engagement around security, spearheaded by the company’s new director of information security, Tom Greco.
“If there are things that are found that our partners need to know about, we want that to be proactively communicated,” he told CRN in March.
[RELATED: ConnectWise Control 'Attack Chain' Exploit: 20 Questions For Security Researcher Bishop Fox]
Zac Paulson, CEO of True IT, an MSP in West Fargo, N.D. that uses ConnectWise, called the platform his “biggest risk” given its demonstrated ability to spread ransomware. He agreed with Essayian’s assessment that the company is following through on its commitment to partners.
“They did an about face from last time when they tried to deflect or ignore the issue,” he said. “No one is immune to security issues. You can take the avenue of trying to act like you don’t have problems and then make everybody skeptical, or you can disclose the problems that you’re aware of and take care to build that trust factor. I think it’s a positive.”
ConnectWise has taken a more proactive approach with security since several lapses starting with the infamous Wipro hack then last August when a high profile attack in Texas was carried out using ConnectWise Control. That led to sites in more than 20 communities being infected with ransomware. Following the attack, noted security researchers at Bishop Fox took a closer look at the platform and it found eight, zero-day vulnerabilities which it disclosed in January. Bishop Fox said that ConnectWise had threatened one of their security researchers with litigation if he revealed the zero-days after the standard 90-day wait, but it published the findings regardless.
ConnectWise CEO Jason Magee told CRN in April that he believes the dispute between his team and Bishop Fox was the result of a “communications breakdown.” He said the security bulletins as well as other initiatives are meant to stop that from happening again.
“What transpired there was, I would say, a communications breakdown,” he said. “Between both companies, I would say. I was satisfied that our team rallied when our team was initially approached and solved many of the issues. The areas that didn’t meet my needs, we have changed internally, from a process standpoint to help remove further communication breakdown in these scenarios.”
In March, ConnectWise said it would begin a “shift left” initiative to start talking about security earlier in the product development cycle, as well as a push to make the company more transparent when it did find flaws in its products. Greco told CRN at the time that he hoped to be more up front about building the company’s security brand in the marketplace.
“This isn’t to say we haven’t shifted left in the past, but how are we making it better?” he said in at the time. “Even with the existing security controls, I don’t think we’ve told anybody what we do from a security perspective, so part of building our brand, we want to start being more transparent about the controls that we do offer and how we’re making them better.”
Greco said that process involves looking at ways the product can be abused, and fixing those issues before hackers figure it out.
“We’re increasing our use of abuse case development so we can understand if and how some of the features might be used maliciously and we can turn those into test cases as well,” he said. “So we can do functional testing of those to see if they truly are susceptible.”
Essayian said “there isn’t a manufacturer under the sun” who doesn’t have some security flaws, so he is grateful that the company has become forthcoming about acknowledging them.
“For me to complain about them individually is disingenuous,” he said. “They have some smart people and their CEO (Jason Magee) takes it seriously. They announced they have a problem. They said it quickly. They put a hotfix in if you’re in the cloud. That’s why we’re in the cloud.”
In addition to looking at security issues earlier in product development, and being transparent when they are found, Greco said the company is opening up a bug bounty program through Hacker One, which recruits and vets hackers who then get access to software in environments where they can test it.
“They managed a population of testers from all over the world,” he said. “We may have SOC-2 certification, we may have controls in place, but I’m not satisfied. This is an additional layer of security.”