Security researchers have discovered three new zero-day flaws in the Kaseya Unitrends product, which could allow attackers to perform authenticated remote code execution, authenticated privilege escalation, and more.
Kaseya Unitrends is a cloud-based solution that provides a comprehensive set of backup and disaster recovery features for enterprises. It is an add-on component of the Kaseya VSA platform.
The Dutch Institute for Vulnerability Disclosure (DIVD) issued a TLP-AMBER advisory for three unpatched vulnerability issues in the Kaseya’s backup product. DIVD discovered the vulnerabilities on July 2nd.
According to DIVD Chairman Victor Gevers, the advisory was first shared discretely with 68 government CERTs. But the information about the flaw was leaked later online.
One of the 68 recipients distributed the alert on an online analyzing platform, which means the details of the flaw were made public.
“Two days later, an Information Sharing and Analysis Center alerted us that one of the GovCERTs had forwarded the email to an organization’s service desk operating in the Financial Services in that country,” Gevers told BleepingComputer.
“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.”
Yesterday, Kaseya released a public warning saying that the vulnerability pertains to the Kaseya Unitrends versions earlier than 10.5.2. The company advised those who use this service or the clients not to expose them to the Internet until Kaseya has patched the issues.
The issues that impact Kaseya Unitrends backup service include authenticated privilege escalation, authenticated remote code execution, and unauthenticated remote code execution on the client side.
These vulnerabilities are harder to exploit than the ones used in the July 2nd REvil ransomware attack, the company noted. A threat actor would need to have gained access to the publicly-exposed Kaseya Unitrends service, and they would need to have a valid user to perform the above actions.
The flaws were disclosed by DIVD to the company on July 3, 2021.
DIVD will attempt to individually inform all owners of vulnerable systems that they should get them offline until a patch has been released.