CVE-2021-30116

Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

Kaseya VSA antes de la versión 9.5.7 permite la divulgación de credenciales, como se explotó en la naturaleza en julio de 2021. Por defecto, Kaseya VSA on premise ofrece una página de descarga donde se pueden descargar los clientes para la instalación. La URL por defecto para esta página es https://x.x.x.x/dl.asp. Cuando un atacante descarga un cliente para Windows y lo instala, se genera el archivo KaseyaD.ini (C:\aArchivos de Programa (x86)\aKaseyaXXXXXX\aKaseyaD.ini) que contiene un Agent_Guid y AgentPassword. Este Agent_Guid y AgentPassword pueden ser utilizados para iniciar sesión en dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9). Esta solicitud autentifica al cliente y devuelve una cookie sessionId que puede ser utilizada en ataques posteriores para evadir la autenticación. Problemas de seguridad descubiertos --- * La página de descarga no autenticada filtra credenciales * Las credenciales del software del agente pueden ser usadas para obtener un sessionId (cookie) que puede ser usado para servicios no destinados a ser usados por los agentes * dl.asp acepta credenciales a través de una solicitud GET * El acceso a KaseyaD.ini le da a un atacante acceso a suficiente información para penetrar la instalación de Kaseya y sus clientes. Impacto --- A través de la página /dl.asp se puede obtener suficiente información para dar a un atacante un sessionId que puede ser usado para ejecutar más ataques (semiautenticados) contra el sistema

Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.

*Credits: Discovered by Wietse Boonstra of DIVD, Additional research by Frank Breedijk of DIVD

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-02 CVE Reserved
2021-07-09 CVE Published
2021-11-03 Exploited in Wild
2021-11-17 KEV Due Date
2024-07-30 EPSS Updated
2024-08-03 CVE Updated
---------- First Exploit

CWE

CWE-522: Insufficiently Protected Credentials

CAPEC

References (4)

URL	Tag	Source
https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2	Third Party Advisory
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure	Third Party Advisory
https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021	2023-10-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kaseya Search vendor "Kaseya"		Vsa Agent Search vendor "Kaseya" for product "Vsa Agent"				< 9.5.0.24 Search vendor "Kaseya" for product "Vsa Agent" and version " < 9.5.0.24"		-		Affected
Kaseya Search vendor "Kaseya"		Vsa Server Search vendor "Kaseya" for product "Vsa Server"				< 9.5.7a Search vendor "Kaseya" for product "Vsa Server" and version " < 9.5.7a"		-		Affected