The Dutch Institute for Vulnerability Disclosure (DIVD) issued an advisory last week for three new vulnerabilities found in Kaseya’s Unitrends backup software. Each of the vulnerabilities affects Unitrends versions before 10.5.2 and DIVD is recommending that organizations “Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities.” Although the vulnerabilities are described as more difficult to exploit than the recent zero-days used to infect Kaseya’s clients with REvil, they still allow for both authenticated and unauthenticated remote code execution and privilege escalation.
The advisory was initially released with a TLP:AMBER designation meaning it was meant only to be shared with “members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm.” Many researchers share information with various TLP designations to quickly easily convey the level of sensitivity the intelligence should be handled with. Unfortunately, one of the original recipients of the advisory uploaded the information to another platform where it then became accessible to anyone else with access to that service. Because of this, DIVD has publicly released the advisory as of July 25th.
Binary Defense highly recommends follow the advice given by DIVD and ensuring that the Unitrends service is not exposed to the internet. Ports 80, 443, 1743 and 1745 are listed in the advisory. No patch is currently available for Kaseya’s Unitrends software, so Binary Defense also recommends watching the official website or contacting Kaseya directly for information on patch availability.