Contents:
IT and security management solutions provider Kaseya has recently released security patches to tackle server-side Kaseya Unitrends zero-day bugs discovered by cybersecurity specialists at the Dutch Institute for Vulnerability Disclosure (DIVD).
The two weaknesses included an authenticated remote code execution bug on the server and a privilege escalation vulnerability from read-only user to admin on the server. They were discovered at the beginning of July and immediately disclosed to Kaseya.
On July 14, the security experts started looking the Internet up and down for vulnerable Kaseya Unitrends occurrences in order to alert the owners of the impacted servers to get them offline and wait for a patch release.
On July 26, the DIVD researchers issued a TLP:AMBER alert involving 3 Kaseya Unitrends vulnerabilities that were unpatched in the backup product.
DIVD Chairman Victor Gevers declared for BleepingComputer that the advisory was originally shared with 68 government CERTs under a coordinated disclosure.
According to DIVD, the IT infrastructure management solution provider has tackled the two known flaws in server software version 10.5.5-2 released on August 12, but it’s currently working on a patch to address a (yet) undisclosed vulnerability on the client.
The client side vulnerability is currently unpatched, but Kaseya urges users to mitigate these vulnerabilities via firewall rules as per their best prectices and firewall requirements.
In addition to that, they have released a knowledge base article with steps to mitigate the vulnerability.
Following the security patches release, the American company contacted its customers and advised them to patch the exposed servers and apply mitigations for clients (found in the article they have published).
Unitrends Vulnerabilities Difficult to Exploit
There is also good news. The three flaws are not easy to exploit as the threat actors would be required to have authentic credentials to initiate an RCE attack or escalate privileges on Unitrends servers that are vulnerable on the Internet.
Another obstacle is that the hackers also need to have their victims’ systems breached before successfully taking advantage of the unauthenticated client RCE vulnerability.
DIVD Chairman told BleepingComputer that, despite being discovered on the networks of companies from sensitive sectors, the amount of vulnerable Unitrends occurrences is not very high.