CVE-2023-25718

In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior."

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/	Not Applicable
https://www.connectwise.com	Product
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

Configurations

Configuration 1 (hide)

cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*

History

07 Nov 2023, 04:09

Type	Values Removed	Values Added
Summary	DISPUTED In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior."	In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior."

22 Aug 2023, 19:16

Type	Values Removed	Values Added
Summary	In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719.	DISPUTED In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior."

05 Mar 2023, 20:15

Type	Values Removed	Values Added
References		(MISC) https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures - (MISC) https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity -
Summary	The cryptographic code signing process and controls on ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect) are cryptographically flawed. An attacker can remotely generate or locally alter file contents and bypass code-signing controls. This can be used to execute code as a trusted application provider, escalate privileges, or execute arbitrary commands in the context of the user. The attacker tampers with a trusted, signed executable in transit.	In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719.

23 Feb 2023, 15:24

Type	Values Removed	Values Added
CWE		CWE-347
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:connectwise:control::::::::
First Time		Connectwise Connectwise control
References	~~(MISC) https://www.connectwise.com -~~	(MISC) https://www.connectwise.com - Product
References	~~(MISC) https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/ -~~	(MISC) https://cybir.com/2022/cve/connectwise-control-dns-spoofing-poc/ - Not Applicable

13 Feb 2023, 20:49

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-13 20:15

Updated : 2024-04-11 01:19

NVD link : CVE-2023-25718

Mitre link : CVE-2023-25718

CVE.ORG link : CVE-2023-25718

JSON object : View

Products Affected

connectwise

control

CWE

CWE-347

Improper Verification of Cryptographic Signature

9.8 /10