Kaseya, an American software firm, has released a security update to address zero-day vulnerabilities in Kaseya Unitrends server software discovered by cybersecurity experts at the Dutch Institute for Vulnerability Disclosure (DIVD).
Kaseya Unitrends is a cloud-based organizational backup and recovery system that may be used alone or as an add-on to Kaseya’s VSA remote management system. The flaws were identified on July 2 and confidentially communicated to Kaseya the next day (an authenticated remote code execution issue and a privilege escalation from read-only user to admin).
DIVD began searching the Internet for exposed Kaseya Unitrends instances two weeks later, on July 14, to notify owners to take vulnerable servers down until a fix was issued. After it was released online following a synchronized disclosure involving 68 government CERTs, DIVD officially reported the vulnerabilities in a TLP:AMBER alert on July 26, 2021.
Client Unauth RCE Not Patched Yet
Kaseya patched the two server vulnerabilities with Unitrends version 10.5.5-2 on August 12, but it’s still working on a remedy for a third unauthenticated remote code execution issue that affects the client.
“The client-side vulnerability is currently unpatched, but Kaseya urges users to mitigate these vulnerabilities via firewall rules as per their best practices and firewall requirements,” said DIVD in an advisory that was published on 26th August 2021. “In addition to that, they have released a knowledge base article with steps to mitigate the vulnerability.”
Kaseya notified customers after releasing the corrected Unitrends version, urging them to update exposed servers and install client mitigations.
Fortunately, these three vulnerabilities are more difficult to exploit than the Kaseya VSA zero-days REvil used in the early July ransomware attack that affected hundreds of Kaseya customers.
Because attackers would need valid credentials to launch a remote code execution attack or escalate privileges on Unitrends servers that are exposed to the Internet and vulnerable, this is the case.
Furthermore, in order to successfully exploit the unauthenticated client RCE flaw, threat actors must have already breached their targets’ networks.
Furthermore, despite being discovered on the networks of organizations from sensitive industries, DIVD Chairman Victor Gevers stated that the number of vulnerable Unitrends instances is low.