CVE-2023-47257: 
ScreenConnect Server vulnerability analysis and mitigation

CVE-2023-47257 affects ConnectWise ScreenConnect through version 23.8.4, a widely used remote support and remote administration tool. The vulnerability was discovered on October 30th by Dennis Carlson at Gotham Security and allows man-in-the-middle attackers to achieve remote code execution via crafted messages. The issue was promptly addressed by ConnectWise, with a patch released on November 20th, 2023 (Vendor Advisory, Gotham Security).

The vulnerability exists within the ScreenConnect.SocketEndpointManager.RunIncomingThread function in ScreenConnect.Core.dll. The flaw allows attackers to bypass socket encryption and relay validation by sending a fake SessionInfoMessage to complete the handshake. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

If exploited, the vulnerability allows attackers to perform Remote Code Execution (RCE) as 'NT AUTHORITY\System' on Windows systems or as privileged user accounts on Linux/Mac systems where the ScreenConnect client is installed. This level of access extends beyond just the ScreenConnect component and could potentially affect all network-connected systems with the client installed (Gotham Security).

ConnectWise has released version 23.8.5 to address this vulnerability. Cloud instances are being automatically updated on a rolling schedule, but administrators can manually force the update through cloud.screenconnect.com. For on-premise installations, users should upgrade to ScreenConnect version 23.8.5 and update their guest clients to the same version (Vendor Advisory).