CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-30117 – Authenticated SQL injection in Kaseya VSA < v9.5.6
https://notcve.org/view.php?id=CVE-2021-30117
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <! • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 66%CPEs: 2EXPL: 0CVE-2021-30116 – Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-30116
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. • https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2 https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021 https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2019-14510
https://notcve.org/view.php?id=CVE-2019-14510
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. • http://community.kaseya.com/xsp/f/355.aspx http://community.kaseya.com/xsp/f/355/t/24675.aspx https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition https://www.kaseya.com/products/vsa • CWE-276: Incorrect Default Permissions CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15506
https://notcve.org/view.php?id=CVE-2019-15506
An issue was discovered in Kaseya Virtual System Administrator (VSA) through 9.4.0.37. It has a critical information disclosure vulnerability. An unauthenticated attacker can send properly formatted requests to the web application and download sensitive files and information. For example, the /DATAREPORTS directory can be farmed for reports. Because this directory contains the results of reports such as NMAP, Patch Status, and Active Directory domain metadata, an attacker can easily collect this critical information and parse it for information. • http://dfdrconsulting.com/2019/cyber-security/cve-2019-15506-kaseya-vsa-critical-information-disclosure-unauthenticated-access http://help.kaseya.com/WebHelp/EN/RN/index.asp#VSAReleaseNotes.htm • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 10%CPEs: 3EXPL: 1CVE-2018-20753 – Kaseya VSA Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-20753
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild. Kaseya VSA RMM, en versiones anteriores a la R9.3 9.3.0.35, versiones R4 anteriores a la 9.4.0.36 y en las R9.5 anteriores a la 9.5.0.5, permite a los atacantes remotos sin privilegios ejecutar cargas útiles PowerShell en todos los dispositivos gestionados. En enero de 2018, los atacantes explotaban esta vulnerabilidad "in the wild" de manera activa. Kaseya VSA RMM allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. • https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88 https://helpdesk.kaseya.com/hc/en-gb/articles/360000333152 •