Kaseya has released a security update to address the VSA zero-day vulnerabilities exploited by REvil gang in the massive ransomware supply chain attack.
Software vendor Kaseya has released a security update to fix the zero-day vulnerabilities in its VSA software that were exploited by the REvil ransomware gang in the massive ransomware supply chain attack.
The company announced last week that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack.
Up to 1,500 downstream organizations, which were customers of MSPs using Kaseya VSA management platform, were impacted by the attack.
“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure. Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants. Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.” reads a statement published by the company.
In April the Dutch Institute for Vulnerability Disclosure (DIVD) reported a zero-day vulnerability, tracked as CVE-2021-30116, affecting Kaseya VSA servers, to the company.
The software vendor was validating the patch before they rolled it out to its customers, but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack.
The Dutch Institute for Vulnerability Disclosure (DIVD) disclosed the CVE-2021-30116 issue along with other six vulnerabilities to Kaseya.
In response to the incident, the company had urged customers to shut down their on-premise VSA servers until a patch was available. Now, the company has released VSA version 9.5.7a (9.5.7.2994) which address the following security flaws:
- CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
- CVE-2021-30117 – An SQL injection vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30118 – A Remote Code Execution vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30119 – A Cross Site Scripting vulnerability, to be included in 9.5.7
- CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
- CVE-2021-30121 – A Local File Inclusion vulnerability, fixed in VSA 9.5.6.
- CVE-2021-30201 – A XML External Entity vulnerability, fixed in VSA 9.5.6.
The company also recommends customers follow the ‘On Premises VSA Startup Readiness Guide‘ steps before installing the security updates, the steps are important to determine if their systems have been already compromised and include instructions on how to clean them.
Kaseya has released a detection tool that could be used by organizations to determine if your infrastructure has been compromised.
For additional security, Kaseya recommends reducing the surface of the attack by limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall.
“For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall. Some integrations may require inbound access to your VSA server on port 443. Below are a list of IP addresses you can whitelist in your firewall (allow 443 inbound to FROM ), if you are using these integrations with your VSA On-Premises product.” states Kaseya.
Once installed the security updates, all users’ passwords will be reset and users will have to choose a new one.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine