Headline
CVE-2021-30116: Kaseya Case Update 2
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered — * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact — Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
04 Jul 2021 - Victor Gevers
During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2.200 to less than 140 in our last scan today. And, by working closely with our trusted partners and national CERTs, the number of servers in The Netherlands has dropped to zero. A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis.
By now, it is time to be a bit more clear on our role in this incident. First things first, yes, Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure).
Our research into these vulnerabilities is part of a larger project in which we investigate vulnerabilities in tools for system administration, specifically the administrative interfaces of these applications.
These are products like Vembu BDR, Pulse VPN, Fortinet VPN, to name a few. We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses.
After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.
After the first reports of ransomware occurred, we kept working with Kaseya, giving our input on what happened and helping them cope with it. This included giving them lists of IP addresses and customer IDs of customers that had not responded yet, which they promptly contacted by phone.
So, in summary: DIVD has been in a Coordinated Vulnerability Disclosure process with Kaseya, who was working on a patch. Some of these vulnerabilities were used in this attack. Kaseya and DIVD collaborated to limit the damage wherever possible.
As more details become available, we will report them on our blog and case file.
Updated statistics:
Last modified: 18 Jan 2023 13:28
Related news
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.