Kaseya has released security updates for the VSA zero-day vulnerabilities that were exploited by the REvil ransomware gang to attack MSPs and their customers.
Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.
In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya:
- CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
- CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
- CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
- CVE-2021-30119 – A Cross Site Scripting vulnerability, to be included in 9.5.7
- CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
- CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
- CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.
Patches for most of the vulnerabilities were implemented by Kaseya on their VSA SaaS service but the patches for the on-premise version of VSA were not completed.
The REvil ransomware gang exploited these vulnerabilities to launch a massive attack against approximately 60 MSPs using on-premise VSA servers and 1,500 business customers.
Even though it is not known which vulnerabilities were used in the attack, it is believed that one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 were used.
Since the attack, Kaseya told on-premise VSA customers to shut down their servers until a patch is ready.
Almost after ten days of the attacks, Kaseya has released the VSA 9.5.7a (188.8.131.5294) update to fix the vulnerabilities used in the REvil ransomware attack.
In the latest security update, Kaseya has fixed the following vulnerabilities:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow unauthorized upload of files to the VSA server.
Kaseya urges its customers to follow the ‘On Premises VSA Startup Readiness Guide’ steps before installing the update in order to prevent further breaches and make sure devices are not already compromised.
The admins must perform the basic steps before starting up VSA servers again and connecting them to the Internet:
- Ensure the VSA server is isolated
- Check System for Indicators of Compromise (IOC)
- Patch the Operating Systems of the VSA Servers
- Using URL Rewrite to control access to VSA through IIS
- Install FireEye Agent
- Remove Pending Scripts/Jobs
It is important that the on-premise VSA servers must not be publicly accessible from the Internet to prevent compromise while installing the patch.
The customers are also recommended to utilize their “Compromise Detection Tool,” a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised.
The scripts will check VSA servers for the presence of ‘Kaseya\webpages\managedfiles\vsaticketfiles\agent.crt’ and ‘Kaseya\webpages\managedfiles\vsaticketfiles\agent.exe,’ and ‘agent.crt’ and ‘agent.exe’ on endpoints.
The REvil affiliate used the agent.crt and agent.exe files to deploy the REvil ransomware executable.
After installing the patch, the users are also recommended to change their password to a new one.