Friday, July 23, 2021

Kaseya releases patches for flaws exploited in the REvil ransomware attack

Must Read

Web Page Layout Could Trick Users to Divulging More Information

Computer users may be manipulated into divulging more information than they'd normally simply from the design of pages, new...

WAPDropper malware abuses Android devices for WAP fraud

New WAPDropper malware signals users up to premium services supplied from telecoms from Thailand and Malaysia. Security researchers have discovered...

Critical RCE Vulnerability in ForgeRock Access Management

Cybersecurity agencies in U.S. And Australia are warning of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution. Attackers...

Kaseya Florida-based software vendor On Sunday rolled out a security update for the VSA zero-day vulnerabilities exploited by the REvil ransomware gang in the massive ransomware supply chain attack.

Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.

The company announced last week that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack.

In response to the incident, the company had urged customers to shut down their on-premise VSA servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws —

  • CVE-2021-30116 – Credentials leak and business logic flaw
  • CVE-2021-30119 – Cross-site scripting vulnerability
  • CVE-2021-30120 – Two-factor authentication bypass

In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya. Four of Them were already patched in previous versions

  • CVE-2021-30117 – SQL injection vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30118 – Remote code execution vulnerability (Fixed in VSA 9.5.5)
  • CVE-2021-30121 – Local file inclusion vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30201 – XML external entity vulnerability (Fixed in VSA 9.5.6)

Besides these fixes, the latest version also remedies three other flaws:

  • Fixed an issue where the secure flag was not being used for User Portal session cookies. 
  • Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely. 
  • Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server. 

For additional security, Kaseya is recommending limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall.

Below are the basic steps that admins should perform before starting up VSA servers again and connecting them to the Internet:

  • Ensure your VSA server is isolated 
  • Check System for Indicators of Compromise (IOC)  
  • Patch the Operating Systems of the VSA Servers 
  • Using URL Rewrite to control access to VSA through IIS 
  • Install FireEye Agent 
  • Remove Pending Scripts/Jobs

Once installed the security updates, all users Reset their password and create a new one.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This