Kaseya Security Update Addresses 0Day Flaws Exploited in REvil Ransomware Attack

Kaseya has released a security update to address the zero-day vulnerabilities in its VSA solution that were exploited by the REvil ransomware group in the recent supply chain attack on its MSP customers and their clients.

Several zero-day vulnerabilities were reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya was in the process of fixing the vulnerabilities in its KSA remote management and monitoring solution and had issued security updates to address some of the flaws in April and May. However, before all patches could be developed and released, one or more of the three unpatched vulnerabilities – CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 – were exploited by an REvil ransomware affiliate, who gained access to Kaseya’s systems and used the software update mechanism to access to the systems of its MSP customers and, through them attack their clients.

Ransomware was used in attacks on around 60 Kaseya customers who had on-premises servers and around 1,500 of their business customers.

The attack was detected quickly by Kaseya, which took steps to contain and block the attack. Customers were advised to shut down their servers until patches were released to address the flaws. 10 days after the attack, Kaseya released security update VSA 9.5.7a ( which corrects the remaining three vulnerabilities and three other issues in its platform.

The update addresses the following flaws:

  • CVE-2021-30116 – Credentials leak and business logic flaw
  • CVE-2021-30119 – Cross site scripting vulnerability
  • CVE-2021-30120 – 2FA bypass

The update also addresses a vulnerability that allows files to be uploaded to the VSA server, an issue where a secure flag was not being used for User Portal session cookies, and a flaw where API responses contain a password hash that exposes weak passwords to brute force attacks.

With the patches now released, customers can power up and secure their servers; however, it is vital for the correct process to be followed when applying the update to prevent any attempted exploits before the update is applied. The procedure for applying the update is detailed here.

Prior to applying the update admins should ensure that their KSA servers are not accessible over the Internet and the VSA servers are isolated. Before applying the update, customers should use Kaseya’s Compromise Detection Tool to check for Indicators of Compromise (IoCs) to make sure that their VSA servers and endpoints have not already been compromised. Once completed, the operating systems of VSA servers should be patched, using URL Rewrite to control access to VSA through IIS. The FireEye Agent should be installed and Pending Scripts/Jobs should be removed.

The on premises VSA admin should also restrict access to the web GUI to local IP addresses only by blocking port 443 inbound on the Internet firewall and any used by security products (details here).

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news