Kaseya releases patches for flaws exploited in the REvil ransomware attack

Kaseya releases patches for flaws exploited in the REvil ransomware attack

Kaseya Florida-based software vendor On Sunday rolled out a security update for the VSA zero-day vulnerabilities exploited by the REvil ransomware gang in the massive ransomware supply chain attack.

Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.

The company announced last week that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack.

In response to the incident, the company had urged customers to shut down their on-premise VSA servers until a patch was available. Now, almost 10 days later the firm has shipped VSA version 9.5.7a (9.5.7.2994) with fixes for three new security flaws —

  • CVE-2021-30116 – Credentials leak and business logic flaw
  • CVE-2021-30119 – Cross-site scripting vulnerability
  • CVE-2021-30120 – Two-factor authentication bypass

In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya. Four of Them were already patched in previous versions

  • CVE-2021-30117 – SQL injection vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30118 – Remote code execution vulnerability (Fixed in VSA 9.5.5)
  • CVE-2021-30121 – Local file inclusion vulnerability (Fixed in VSA 9.5.6)
  • CVE-2021-30201 – XML external entity vulnerability (Fixed in VSA 9.5.6)

Besides these fixes, the latest version also remedies three other flaws:

  • Fixed an issue where the secure flag was not being used for User Portal session cookies. 
  • Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely. 
  • Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server. 

For additional security, Kaseya is recommending limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall.

Below are the basic steps that admins should perform before starting up VSA servers again and connecting them to the Internet:

  • Ensure your VSA server is isolated 
  • Check System for Indicators of Compromise (IOC)  
  • Patch the Operating Systems of the VSA Servers 
  • Using URL Rewrite to control access to VSA through IIS 
  • Install FireEye Agent 
  • Remove Pending Scripts/Jobs

Once installed the security updates, all users Reset their password and create a new one.

Leave a Comment

Your email address will not be published. Required fields are marked *