SAML: Privilege Escalation to SC_Admin by editing App Registration manifest
We currently allow clients to use our Connectwise Control to access their own computers. We have done this using internal accounts with custom roles that limit the machines they are able to see.
With the introduction of SAML and OAUTH they have begun asking if we can add their directories so they don't have to remember additional credentials to our system.
During the process of doing this, it became apparent that the roles these people receive are actually controlled by the approle "value" in the App Registration Manifest which is controlled by my client.
If they simply replace the role I want them to have with "SC_ADMIN", they become unfettered admins of my Control instance allowing them to take control of any machine in the system. I've already PoC'd this.
Other authentication sources are also likely vulnerable to this type of attack. If we were to connect LDAP to multiple Active Directories, all it would take is for someone to put themselves into a security group called "SC_ADMIN" and they would also be able to gain control.
My recommendation would be to add a field that limits the roles available to a given authentication source.
Customer support service by UserEcho
Which IdentityProvider have you integrated into ConnectWise Control for SAML?
From an implementation point of view I don't see a bug with this but rather a feature request. If a User has access to control their own groups/roles within an Active Directory then they are basically Administrators within that IdP.
Just because my client is an admin of their own Azure AD doesn't mean I want them to be able to be an admin of my Control instance.
Please explain to me the purpose of allowing multiple authentication sources if you aren't going to centrally limit the levels of access for each.
Allowing my clients to remote control their own computers is a supported solution. You guys helped me set this up.
Please move this back to being a bug. This is serious.