Kaseya rolled out security updates designed to address critical security issues in its Virtual System Administrators solution (VSA), which were exploited by hackers to launch a ransomware attack 10 days ago.
Following an incident where a remote server could potentially expose sensitive information, the company had issued an advisory to its customers to temporarily shut down their servers. Yesterday, the company released a patch for these issues:
- CVE-2021-30116 – Credentials leak and business logic flaw
- CVE-2021-30119 – Cross-site scripting vulnerability
- CVE-2021-30120 – Two-factor authentication bypass
In VSA, there are total seven security issues that were reported by the Dutch Vulnerability Disclosure Authority earlier this year; the other four, which have been patched before, are:
- CVE-2021-30117 – SQL injection vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30118 – Remote code execution vulnerability (Fixed in VSA 9.5.5)
- CVE-2021-30121 – Local file inclusion vulnerability (Fixed in VSA 9.5.6)
- CVE-2021-30201 – XML external entity vulnerability (Fixed in VSA 9.5.6)
The latest version fixes three other issues, including a flaw that could allow remote attackers to execute arbitrary code without requiring an existing account on the server. It also resolves a bug that could allow an unauthorized upload of files to the VSA server.
To prevent unauthorized access to the VSA Web GUI, Kaseya recommends blocking the port 443 traffic to the internet firewall.
Kaseya has also warned that users who install the patch would be forced to change their passwords in order to meet the new requirements.
In addition, the company said that some VSA features were replaced with improved alternatives and some functional defects in the patched version will be corrected in the future release.
The company has also been busy restoring its VSA cloud-based infrastructure:
“The restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours,” Kaseya said in a rolling advisory.
According to Kaseya, in this sophisticated attack hackers exploited multiple flaws that were chained together. The company says that specifically the CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 flaws were used to carry out the attacks.
REvil, a Russian-based gang, has claimed responsibility for the ransomware attack on Kaseya that affected over 1,5000 businesses.