Connectwise sent out a notification this afternoon to all partners indicating that they have found some type of security vulnerability with the Connectwise Written and supplied intergration to Kaseya. They have a KB article specifically directing users to apply an IP restriction to the KaseyaCWWebservice directory that Connectwise creates.
At issue here is the fact that their KB article will not actually accomplish *anything* as they are having you run an IP restriction on the directory to restrict connections to only allow from your connectwise server and localhost. This is done in IIS and as any of us who have a relatively up to date installation of Kaseya know, there is now an edge gateway service from Kaseya handling connections so that from IIS's perspective *all* connections come from localhost...
I've submitted a ticket back to Connectwise pointing this fact out to them. I'm unsure at this point in time exactly how big the security hole is, or what other mitigation steps may be possible for it.
I made the changes in the article and it looks like it gives the Not Found page if I hit it from an unlisted IP.
I am using https://KaseyaServer/KaseyaCWWebService/ManagedIT.asmx
If I add my IP to the allow list it displays the page correctly, when I do not have it I get the Not Found
To me it looks like it is working or at least not showing me that page
I really hope the update the whole thing and just do not patch this. I have requested updates from CW on this since it is super old. I would really love for them to add a URI link to live connect for a managed asset
I agree that this looks like 127.0.0.1 should do nothing. I even checked my IIS log and it shows all request as 127.0.0.1 but like i said when i remove my IP from the allow list I do get that Not Found page
Maybe the edge service is doing something we do not see
Thanks for posting this. ConnectWise did not send this alert to us. We did receive our bill and an IT Nation invitation. I'm glad I visit these forums on a regular basis!
we also made the modifications. it does lock down only CW access to the application site, but that is probably for the best. Verified from the CW server we can open up the page, and elsewhere can not.
FYI: we received this directly from Connectwise on Monday 4:35pm
Hello ConnectWise Partner,
A recent security vulnerability has been discovered on Kaseya servers when the ConnectWise Web Service is installed on it. The vulnerability allows multiple operations to be performed on the Kaseya server through the ConnectWise Web Service without authentication. At this time, no malicious reports have been submitted from our partners. This security vulnerability only applies to the Kaseya server. This does not affect your ConnectWise Manage server.
A Knowledge Base Article has been created to help mitigate risk by updating settings for the ConnectWise Web Service. Our Development Team has already started on a solution to address the ConnectWise Web Service which will be released by Quarter 1 2018.
Click here to review the Knowledge Base Article
We understand the impact this vulnerability can have on your company so we are prepared to discuss further with you. If you would like to speak with a representative at ConnectWise, please email Help@ConnectWise.com.
The ConnectWise Manage Product Management Team
I have tried finding the ConnectWise Knowledge Base Article but have had no luck so far, would you be able to tell me what it is?
I found the KB article if anyone else needs it. docs.connectwise.com/.../Kaseya_-_IP_and_Domain_Restrictions