Jump to content

Recommended Posts

I am posting this as a reminder to everyone here, keep your automate up-to-date. Connectwise has decided to include security patches in the monthly updates, without notifying anyone. As a result, what may seem like a lackluster feature update may include critical security updates.

An example I just published is a privilege escalation bug that was in all versions of Automate below 2020.8. It was patched in 2020.8 after I reported it, but they didn't announce it in any way. They didn't even tell me it was fix, I had to find out through testing. Now, this isn't a critical one, it expands access once a system is infected already, but it's also not exactly trivial. Who know how many security flaws are being patched every month. How many people don't bother publishing their findings, and just hope Connectwise fixes it.

 

My post: https://dbeta.com/2020/10/07/PrivilegeEscalationInAutomateAgent

Edited by danialbulloch
Updated Link to correct date.
  • Like 1
  • Thanks 2
Link to post
Share on other sites

No kidding. Didn't consider that, but yes, if you had exclusions setup for the update process, those are now invalid. Or any system that might have had to do with the update system. Although you really shouldn't have AV exclusions pointing anywhere a standard user can write files.

Again, without telling us, anything could change and we wouldn't know until we investigated a system breaking.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...