



Kaseya has released a security update for the VSA zero-day vulnerability used by REvil ransomware gangs to attack MSPs and their customers.

Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premises using servers or take advantage of Kaseya’s cloud-based SaaS solution.

In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya.

Credential leaks and business logic flaws contained in CVE-2021-30116-9.5.7 CVE-2021-30117- SQL injection vulnerability resolved in the May 8 patch. CVE-2021-30118- A remote code execution vulnerability resolved in the April 10 patch. (V9.5.6) CVE-2021-30119-9.5.7 Cross-site scripting vulnerability included in CVE-2021-30120-2FA bypass, resolved in v9.5.7 CVE-2021-30121-Local file include vulnerability , Solved by patch on May 8th. CVE-2021-30201- A vulnerability in XML external entities resolved in the May 8 patch.

Kaseya implemented patches for most vulnerabilities in the VSA SaaS service, but did not complete the patch for the on-premises version of VSA.

Unfortunately, the REvil ransomware gang has defeated Kaseya to the finish line and exploited these vulnerabilities on July 2 against about 60 MSPs using on-premises VSA servers and 1,500 business customers. Launched a large-scale attack.

The vulnerability used in the attack is unknown, but is believed to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120.

Kaseya releases security update

Since the attack, Kaseya has urged on-premises VSA customers to shut down the server until the patch is ready.

Almost 10 days after the attack, Kaseya released the VSA 9.5.7a (9.5.7.2994) update to fix the vulnerability used in the REvil ransomware attack.

With this release, Kaseya has fixed the following vulnerabilities:

Credential Leakage and Business Logic Deficiencies: CVE-2021-30116 Cross-Site Scripting Vulnerabilities: CVE-2021-30119 2FA Bypass: CVE-2021-30120 Fixed an issue where the secure flag was not used in the user portal session cookie. Did. Fixed an issue where certain API responses contained password hashes, which could expose weak passwords to brute force attacks. Password values ​​are now completely masked. Fixed a vulnerability that could allow unauthorized uploading of files to the VSA server.

However, Kaseya encourages customers to follow the steps in the On-Premises VSA Startup Preparation Guide to prevent further breaches and ensure that the device has not yet been breached before installing the update.

Below are the basic steps that an administrator must take before restarting the VSA server and connecting to the Internet.

Make sure the VSA server is isolated Check the system for traces of intrusion (IOC) Patch the operating system of the VSA server using URL rewriting to control access to VSA through IIS Remove the pending scripts / jobs that install the FireEye agent

Of these steps, it is important that your on-premises VSA server is not publicly accessible from the Internet to prevent compromise during patch installation.

Kaseya also encourages customers to use the “Violation Detection Tool”, a collection of PowerShell scripts to detect if a VSA server or endpoint has been compromised.

The script checks for the existence of “Kaseya website managedfiles vsaticketfiles agent.crt” and “Kaseya website managedfiles vsaticketfiles agent.exe” and “agent.crt” and “agent.exe” on the VSA server. I will. At the endpoint.

The REvil affiliate used the agent.crt and agent.exe files to deploy the REvil ransomware executable.

For added security, Kaseya also proposes that on-premises VSA administrators limit access to the Web GUI to local IP addresses and addresses known to be used by security products.

“For VSA on-premises installations, we recommend that you limit access to the VSA Web GUI to your local IP address by blocking inbound port 443 with your Internet firewall. For some integrations, port 443 is the VSA server. You may need inbound access to. If you are using these integrations with VSA on-premises products, the number of IP addresses that can be whitelisted in the firewall (allows 443 inbound to the FROM). ”Kaseya Explains.

After installing the patch, all users should change their password to one with the new password requirement.

