Unpatched Kaseya Unitrends Backup Vulnerabilities Could Be Dangerous
Three New Zero-Day Vulnerabilities Were Found in the Kaseya Unitrends Service. Users Are Advised to Not Expose the Service to the Internet.
The DIVD researchers (the Dutch Institute for Vulnerability Disclosure ) issued a TLP:AMBER warning concerning 3 Kasyea Unitrends vulnerabilities that were unpatched in the backup product.
Chairman Victor Gevers declared for BleepingComputer the fact that the advisory was originally shared with 68 government CERTs under a coordinated disclosure.
However, it seems that one of the recipients had uploaded the advisory to an online analyzing platform, and here it became public to those with access to the service.
Two days later, an Information Sharing and Analysis Center alerted us that one of the GovCERTs had forwarded the email to an organization’s service desk operating in the Financial Services in that country.
An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.
Kaseya Unitrends Vulnerabilities Explained
The public advisory that originated from DIVD came as a warning about the zero-day vulnerabilities that have been discovered in earlier versions than 10.5.2 for Kaseya Unitrends.
Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities.
The Kaseya Unitrends vulnerabilities are affecting the backup service and include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client-side, and fortunately, these vulnerabilities are more difficult to exploit, unlike the Kaseya VSA zero-days that were used as part of the July 2nd REvil ransomware attack.
In order to exploit these vulnerabilities, a threat actor would need a valid user to perform remote code execution or privilege escalation on the publicly exposed Kaseya Unitrends service.
According to the news publication BleepingComputer, DIVD will try to inform the owners of vulnerable systems in order to get them offline until a patch is released.