Kaseya released a patch for the vulnerabilities that were used by REvil in what seems to be one of the largest ransomware attacks, in which the ransomware gang, also known as Sodinokibi, targeted MSPs with thousands of customers.
Back in April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya with most of them being quickly patched, but the on-premise version of VSA vulnerability was unfortunately left unresolved.
- CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
- CVE-2021-30117 – An SQL injection vulnerability, resolved in the May 8th patch.
- CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
- CVE-2021-30119 – A Cross-Site Scripting vulnerability, to be included in 9.5.7
- CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
- CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in the May 8th patch.
- CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.
The REvil ransomware group managed to make use of these vulnerabilities and launch a massive attack earlier this month and as a result of this attack, more than 60 MSPs that were using the on-premise VSA servers and 1,500 business customers were affected.
Until now it remains unclear which vulnerabilities were used in the attack, researchers believing to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120.
Kaseya’s Newly Released Security Updates
Kaseya had previously urged the on-premise VSA customers to shut down their servers until a patch is ready and now has released the VSA 9.5.7a (9.5.7.2994) update that will `fix the vulnerabilities used in the REvil ransomware attack.
As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is progressing, with 95% of our SaaS customers live and the remaining servers coming online for the rest of our customers in the coming hours. Our support teams are working with VSA On-Premises customers who have requested assistance with the patch.
Some of the issues addressed in the patch were:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where the secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server.
Kaseya is urging its customers to follow the ‘On-Premises VSA Startup Readiness Guide‘ steps before installing the update in order to prevent further breaches and make sure devices are not already compromised by using the “Compromise Detection Tool,” in order to detect whether a VSA server or endpoints have been compromised.
An extra step that can be taken for added security is the restriction of on-premise VSA admin access to the web GUI to local IP addresses and those known to be used by security products.
For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall. Some integrations may require inbound access to your VSA server on port 443. Below are a list of IP addresses you can whitelist in your firewall (allow 443 inbound to FROM ), if you are using these integrations with your VSA On-Premises product.
It’s important to know that after installing the patch, all users will be required to change their passwords.