CVE-2021-30116

Warnung

Exploit

EPSS 53.08%
Veröffentlicht 09.07.2021 14:15:07
Zuletzt bearbeitet 10.11.2025 14:41:17
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kaseya ≫ Vsa Agent Version < 9.5.0.24

Kaseya ≫ Vsa Server Version < 9.5.7a

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability

Schwachstelle

Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	53.08%	0.979

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
cve@mitre.org	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/

Third Party Advisory

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/

Third Party Advisory

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

Vendor Advisory

https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/

Third Party Advisory

Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30116

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2021-30116