Share this article on:
Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients.
The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate.
The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies.
Following the July 2, 2021 attack, Kaseya advised its customers to shut down their on-premises VSA servers until the exploited vulnerabilities were addressed and its SaaS servers were shut down as the SaaS solution also had vulnerabilities, although its cloud-based service was not affected by the attack. Those servers are now being restarted incrementally and the final three patches have been released in the VSA 9.5.7a (22.214.171.12494) update.
The three vulnerabilities addressed in the latest security update are a credential leak and business logic flaw tracked as CVE-2021-30116, a cross site scripting vulnerability – CVE-2021-30119 – and a 2FA bypass vulnerability – CVE-2021-30120. Kaseya says a further three vulnerabilities in the solution have also been addressed by the update. These are a failure to use a secure flag for user portal session cookies, a flaw that allowed files to be uploaded to a VSA server, and an issue where a password hash was exposed, which made weak passwords vulnerable to brute force attacks.
Kaseya has recommended a process for applying the update to minimize risk. This involves ensuring the VSA server is isolated and not connected to the Internet, searching for Indicators of Compromise (IoCs) to determine if servers or endpoints have already been compromised, then applying the update.
The full process for updating on-premises VSA servers and securing them is detailed in the Kaseya On Premises Startup Readiness Guide.