CVE-2021-30116
Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
Kaseya VSA antes de la versión 9.5.7 permite la divulgación de credenciales, como se explotó en la naturaleza en julio de 2021. Por defecto, Kaseya VSA on premise ofrece una página de descarga donde se pueden descargar los clientes para la instalación. La URL por defecto para esta página es https://x.x.x.x/dl.asp. Cuando un atacante descarga un cliente para Windows y lo instala, se genera el archivo KaseyaD.ini (C:\aArchivos de Programa (x86)\aKaseyaXXXXXX\aKaseyaD.ini) que contiene un Agent_Guid y AgentPassword. Este Agent_Guid y AgentPassword pueden ser utilizados para iniciar sesión en dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9). Esta solicitud autentifica al cliente y devuelve una cookie sessionId que puede ser utilizada en ataques posteriores para evadir la autenticación. Problemas de seguridad descubiertos --- * La página de descarga no autenticada filtra credenciales * Las credenciales del software del agente pueden ser usadas para obtener un sessionId (cookie) que puede ser usado para servicios no destinados a ser usados por los agentes * dl.asp acepta credenciales a través de una solicitud GET * El acceso a KaseyaD.ini le da a un atacante acceso a suficiente información para penetrar la instalación de Kaseya y sus clientes. Impacto --- A través de la página /dl.asp se puede obtener suficiente información para dar a un atacante un sessionId que puede ser usado para ejecutar más ataques (semiautenticados) contra el sistema
Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-04-02 CVE Reserved
- 2021-07-09 CVE Published
- 2021-11-03 Exploited in Wild
- 2021-11-17 KEV Due Date
- 2024-07-30 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- First Exploit
CWE
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2 | Third Party Advisory | |
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure | Third Party Advisory | |
https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021 | 2023-10-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Kaseya Search vendor "Kaseya" | Vsa Agent Search vendor "Kaseya" for product "Vsa Agent" | < 9.5.0.24 Search vendor "Kaseya" for product "Vsa Agent" and version " < 9.5.0.24" | - |
Affected
| ||||||
Kaseya Search vendor "Kaseya" | Vsa Server Search vendor "Kaseya" for product "Vsa Server" | < 9.5.7a Search vendor "Kaseya" for product "Vsa Server" and version " < 9.5.7a" | - |
Affected
|