ConnectWise R1Soft SMB Vulnerability Advisory | October 2022

Thousands of ConnectWise R1Soft backup servers are vulnerable to attack. Here's what you need to know.

Background

On October 28th, 2022, ConnectWise released an advisory detailing a critical security flaw in ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions. The vulnerability allows an attacker to access confidential data or execute code remotely. A security patch is available and should be applied as soon as possible.

Quick facts: what you need to know now

Impacted versions include R1Soft Server Backup Manager (SBM) v6.16.3 and earlier versions.
ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9).
A patch is available (released October 28, 2022) by upgrading the server backup manager to SBM v6.16.4 using the R1Soft upgrade wiki.
Without a security patch, a remote attacker may be able to access confidential data or execute malicious code remotely on the backup servers. From there the attacker could conduct further exploitation including moving around the network or deploying ransomware.
Though the vulnerability does not yet appear to be under active exploitation, security researchers from Huntress Labs state the vulnerability gives them the ability to push ransomware through the 5,000 R1Soft servers that are publicly exposed on the internet.

Whelp, wasn’t expecting this ConnectWise RCE to become public today. Guess we’ll publish on Monday how @HuntressLabs went from a researcher’s tweet to the ability to push ransomware through ~5,000 R1Soft servers that are exposed on Shodan. #staytuned https://t.co/HroDdZ5NYI pic.twitter.com/mHLu6zpwic
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022

R1Soft SBMs are popular with Managed Service Providers (MSPs). If you deploy this technology yourself, we urge you to follow the Next Steps below and apply a security patch. If this technology is run by an MSP on your behalf, please get in touch with them to ensure they have taken the appropriate steps.

Unfortunately, yes. Tons of cloud hosting providers, MSPs, etc..
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022

Next Steps for All ConnectWise R1Soft SMB Customers:

We encourage your organization to take the following steps to mitigate against potential attack:

Upgrade the server backup manager to SBM v6.16.4 as soon as possible.
If the technology is deployed on your behalf by an MSP, ensure they have mitigated this asset against potential attack.

Resources

http://wiki.r1soft.com/display/ServerBackupManager/Install+and+Upgrade+Server+Backup+Manager+on+Linux.html

https://www.bleepingcomputer.com/news/security/connectwise-fixes-rce-bug-exposing-thousands-of-servers-to-attacks/amp/

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!