DIVD-2021-00011 - Kaseya VSA Limited Disclosure | DIVD CSIRT Skip to the content. Home / Cases / Divd-2021-00011 - kaseya vsa limited disclosure DIVD CSIRT Making the internet safer through Coordinated Vulnerability Disclosure Menu Home DIVD CSIRT Cases DIVD-2021-00015 Telegram group shares stolen credentials.... DIVD-2021-00014 DIVD recommends not exposing the on-premise Kaseya Unitrends servers to the... DIVD-2021-00012 Botnet stolen credentials... DIVD-2021-00011 Multiple vulnerabilities discovered in Kaseya VSA.... DIVD-2021-00010 A PreAuth RCE vulnerability has been found in vCenter Server... DIVD-2021-00005 A PreAuth RCE vulnerability has been found in Pulse Connect Secure... DIVD-2021-00004 A list of credentials that phishers gained from victims has leaked and has ... DIVD-2021-00002 Kaseya recommends disabling the on-premise Kaseya VSA servers immediately.... DIVD-2021-00001 On-prem Exchange Servers targeted with 0-day exploits... DIVD-2020-00014 SolarWinds Orion API authentication bypass... DIVD-2020-00013 A list of credentials that phishers gained from victims has leaked and has ... DIVD-2020-00012 A list of 49 577 vulnerable Fortinet devices leaked online... DIVD-2020-00011 Four critical vulnerabilities in Vembu BDR... DIVD-2020-00010 WordPress Plugin wpDiscuz has a vulnerability that alllows attackers to tak... DIVD-2020-00009 Data dumped from compromised Pulse Secure VPN enterprise servers.... DIVD-2020-00008 313 000 .NL domains running Wordpress scanned.... DIVD-2020-00007 Citrix ShareFile storage zones Controller multiple security updates... DIVD-2020-00006 SMBv3 Server Compression Transform Header Memory Corruption... DIVD-2020-00005 Apache Tomcat AJP File Read/Inclusion Vulnerability... DIVD-2020-00004 List of Mirai botnet victims published with credentials... DIVD-2020-00003 Exploits available for MS RDP Gateway Bluegate... DIVD-2020-00002 Wildcard Certificates Citrix ADC... DIVD-2020-00001 Citrix ADC... CVEs CVE-2021-30201 - Authenticated XML External Entity vulnerability in Kaseya VS... CVE-2021-30121 - Authenticated local file inclusion in Kaseya VSA < v9.5.6... CVE-2021-30120 - 2FA bypass in Kaseya VSA CVE-2021-30119 - Authenticated Authenticated reflective XSS in Kaseya VSA CVE-2021-30118 - Unautheticated RCE in Kaseya VSA < v9.5.5... CVE-2021-30117 - Autheticated SQL injection in Kaseya VSA < v9.5.6... CVE-2021-30116 - Unautheticated credential leak and business logic flaw in Ka... CVE-2021-26474 - Unauthenticated server side request forgery in Vembu product... CVE-2021-26473 - Unauthenticated arbitrary file upload and command execution ... CVE-2021-26472 - Unauthenticated remote command execution in Vembu products... Blog 2021-07-07 : Kaseya VSA Limited Disclosure... 2021-07-06 : Kaseya Case Update 3... 2021-07-04 : Kaseya Case Update 2... 2021-07-03 : Kaseya Case Update... 2021-07-02 : Kaseya VSA Advisory... 2021-06-06 : vCenter Server PreAuth RCE... 2021-06-03 : Warehouse Botnet... 2021-05-14 : Closing ProxyLogon case / Case ProxyLogon gesloten... 2021-05-11 : Vembu Zero Days... 2021-05-10 : Pulse Secure PreAuth RCE... More... Donate RSS Contact DIVD-2021-00011 - Kaseya VSA Limited Disclosure Our reference DIVD-2021-00011 Case lead Frank Breedijk Author Lennaert Oudshoorn Researcher(s) Wietse Boonstra Lennaert Oudshoorn Victor Gevers Frank Breedijk Hidde Smit CVE(s) CVE-2021-30116 CVE-2021-30117 CVE-2021-30118 CVE-2021-30119 CVE-2021-30120 CVE-2021-30121 CVE-2021-30201 Product Kaseya VSA Versions All on-premise Kaseya VSA versions. Recommendation All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. Status Open English below Summary One of our researchers found multiple vulnerabilities in Kaseya VSA, which we were in the process of responsible disclosure (or Coordinated Vulnerability Disclosure) with Kaseya, before all these vulnerabilities could be patched a ransomware attack happened using Kaseya VSA. Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and the disclosure timeline. In line with the guidelines for Coordinated Vulnerability Disclosure we have not disclosed any details so far. And, while we feel it is time to be more open about this process and our decisions regarding this matter, we will still not release the full details. The vulnerabilities We notified Kaseya of the following vulnerabilities: CVE-2021-30116 - A credentials leak and business logic flaw, to be included in 9.5.7 CVE-2021-30117 - An SQL injection vulnerability, resolved in May 8th patch. CVE-2021-30118 - A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) CVE-2021-30119 - A Cross Site Scripting vulnerability, to be included in 9.5.7 CVE-2021-30120 - 2FA bypass, to be resolved in v9.5.7 CVE-2021-30121 - A Local File Inclusion vulnerability, resolved in May 8th patch. CVE-2021-30201 - A XML External Entity vulnerability, resolved in May 8th patch. What you can do All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture. Kaseya has released a Detection tool tool help determine if a system has been compromised. Cado Security has made a github repository with Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack. We recommend that any Kaseya server is carefully checked for signs of compromise before taking it back into service, including, but not limited to, the IoCs published by Kaseya. What we are doing The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels. We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files. In the past few days we have been working with Kaseya to make sure customers turn off their systems, by tipping them off about customers that still have systems online, and hope to be able to continue to work together to ensure that their patch is installed everywhere. Timeline Date Description 01 Apr 2021 Research start 02 Apr 2021 DIVD starts scanning internet-facing implementations. 04 Apr 2021 Start of the identification of possible victims (with internet-facing systems). 06 Apr 2021 Kaseya informed. 10 Apr 2021 Vendor starts issuing patches v9.5.5. Resolving CVE-2021-30118. 8 May 2021 Vendor issues another patch v9.5.6. Resolving CVE-2021-30117, CVE-2021-30121, CVE-2021-30201. 04 Jun 2021 DIVD CSIRT hands over a list of identified Kaseya VSA hosts to Kaseya. 26 Jun 2021 9.5.7 on SaaS Resolving CVE-2021-30116 and CVE-2021-30119. 02 Jul 2021 DIVD responds to the ransomware, by scanning for Kaseya VSA instances reachable via the Internet and sends out notifications to network owners 07 Jul 2021 Limited publication (after 3 months). More information official advisory from Kaseya DoublePulsar blog post Sophos blog post CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack  Twitter  Facebook  LinkedIn