This article will provide technical information regarding incident reports Huntress has sent you as a result of the ScreenConnect Vulnerability found on February 19th, 2024. For all other information, please see this blog post.
Am I really affected?
If you received an incident report for this ScreenConnect Vulnerability, that means we saw some version of the Server Component on that host. This does include workstations. Below is a guide on how to tell which ScreenConnect Server Autoruns we found on your host so you can quickly find and update or remove them.
To make it easy here is a list of the vulnerable components to look for:
- ScreenConenct Relay
- ScreenConnect Security Manager
- ScreenConnect Session Manager
- ScreenConenct Web Server
These hosts need to be on version 23.9.8. Please see the official ConnectWise ScreenConnect advisory for more patch information.
How to find all ScreenConnect Autoruns on your Host
1. Navigate to your affected host.
2. Click "Autoruns"
3. Click "All"
4. Click the "Search:" field.
5. Type "ScreenConnect"
6. You should see a list of all the ScreenConnect Services on that host
Again, the vulnerable components to look for:
- ScreenConenct Relay
- ScreenConnect Security Manager
- ScreenConnect Session Manager
- ScreenConenct Web Server
How do I verify my host has been successfully patched?
We have two methods you can use to quickly identify if your hosts have been patched.
- Running the following PowerShell command:
Get-FileHash 'C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe'
If the host has been patched, you should see one of the following hashes as the output:- 9EDBABFCFFA9E65C31E835F7A337DF5DFCC17349B05DAA90D300350E21F9B7EF (version 23.9.8.8811)
- 89F85B542B6E08DB997D749C259A739C17E112E2986AC2549196A6362C0E12F9 (version 23.9.10.8817)
- Looking at the HTTP response Server header when on the ScreenConnect web interface which should tell you the outright version number.
Comments
0 comments
Please sign in to leave a comment.