ConnectWise’s R1Soft Vulnerability: Huntress Researcher Answers Five Questions

Caleb Stewart, one of the Huntress researchers who worked on an exploit that could have infected thousands of ConnectWise customers, tells CRN, ‘It’s great we were able to find it.’

A security exploit in ZK, an application for Java developers, was later found to be a backdoor that would have allowed threat researchers with Huntress to install ransomware on ConnectWise R1Soft, which manages backup servers, as well as any agents those servers were connected to.

Huntress researchers John Hammond and Caleb Stewart worked on the exploit together, when it was introduced as a way to bypass authentication and login to R1Soft – with admin privileges.

“We caught wind of this and thought, ‘Wow. There’s a significant impact even in just that authentication bypass. And then the sensitive file leak and other information you might be able to retrieve, so we decided to look into it,” Hammond said. “We thought can this be weaponized further? Because a backup server, that’s potentially a crown jewel for a threat actor.”

The vulnerability was first discovered earlier this year by Markus Wulftange, a senior penetration tester with Code White, a German cybersecurity firm. It was patched by ZK, which sent out an advisory along with a new version of the product, Huntress said.

However, ConnectWise R1Soft server backup manager used an unpatched version. The two said by chaining together developer software, they were finally able to send remote code. Then running Shodan, the server search engine, the team was able to see how many potential targets they could infect.

ConnectWise patched the software on Friday, sending hotfixes to all cloud-connected products. ConnectWise has not responded to attempts to reach them for comment. A ConnectWise user reached Friday said the company has improved considerably in how it handles security for its MSP partners.

The project took Huntress about two weeks to carry out.

Meanwhile, Huntress’ Stewart talked with CRN about the satisfaction of being able to work on a security flaw before the criminals get to it as well as how dangerous this could have been. Here’s what Stewart had to say.

How was this exploit discovered?

Essentially what happened is a separate researcher, who is not with Huntress, reported a vulnerability to a web framework ZK. That is a java framework for making web applications. He reported this vulnerability back in May to (ZK) That was reported to them and that bug was patched.

However, the ConnectWise product, R1Soft server backup manager, used an older version of that ZK framework. Because of that, the product was vulnerable to the original.

The original researcher that reported that tried to bring that up with ConenctWise and was going through their internal process. It was taking some length of time and he posted on Twitter about it.

It looked like something that could effect our customers. So we hopped in and had a look at the things he had found.

We also were able to replicate that third-party researcher’s findings and be able to replicate it internally and take it a step further.

It appeared to be a sensitive information disclosure that you could use to leak some information from the page without authentication but it hadn’t been taken any further than that. What we were we able to do is prove that not only is it that it’s an sensitive information disclosure, that is true, but also it was an full authentication bypass and you can use that to actually exploit the server and get remote code execution.

Because it’s a backup manager that manages a lot of other machines, other hosts, other agents, we can actually leverage that to get code execution on the registered agents as well, that the back up manager managed.

How do you know you could have infected 5,000 servers? Where did that number come from?

Using a tool called Shodan. You can search the internet for things that are connected to the internet. Long story, short: they scan the entire internet and find things that are running. Using that tool we were able to search for servers that were running this software. That is where the 5,000 comes from.

Once we were able to replicate it in our own lab we were able to say with confidence that, because there is no patch, if we were bad actors we could have reached out to all these 5,000 and exploited all of them. Not just those servers themselves, but also any of the agents they manage as well.

Did you put any number on the number of devices you could have infected?

There’s no way to know how many agents were connected to those managers directly, so the only number we can say for sure are those 5,000 we saw on Shodan. It’s feasible to think that if those are being used in a real life deployment at least has more than one agent connected to it.

Is there a moment when you are like, “I’m glad we found this and not the other way around”?

Absolutely. We had lots of those conversations while we were working internally and just trying to replicate this thing, and just trying to determine how bad it could be. Also, aside from just proving it, the work we did to replicate it helps because we were able to very quickly pull the patch down and install it, and test our implementation of the exploit. So with our implementation of the exploit, based on everything I’m seeing today, the patch appears to be successful. We were able to say that very quickly, which is good.

This seems like a textbook outcome, right? From finding it to discovering how bad it is, to seeing a patch rolled out. This happening before an infection, just seems like the best case scenario?

I think it’s great we were able to find it. We were able to kind of work closely with ConnectWise to figure out to not only help us to protect our customers and the people we are protecting, but being able to push that information back through ConnectWise and get the solution out as quickly as possible.