Nearly two weeks after attackers exploited Kaseya VSA systems to deploy REvil ransomware, the company has released a security update for on-premise and SaaS versions of the software. Kaseya released VSA 9.5.7a (126.96.36.19994) on Sunday (July 11th). The release notes list seven CVEs (Common Vulnerabilities and Exposures), four of which were addressed in VSA 9.5.5 or 9.5.6.
- VSA 9.5.7
- CVE-2021-30116 – Credentials leak and business logic flaw
- CVE-2021-30119 – Cross-Site Scripting vulnerability
- CVE-2021-30120 – 2FA bypass
- VSA 9.5.6
- CVE-2021-30117 – SQL injection
- CVE-2021-30121 – Local file inclusion (LFI) vulnerability
- CVE-2021-30201 – XML External Entity vulnerability
- VSA 9.5.5
- CVE-2021-30118 – Remote code execution (RCE) vulnerability
The update to 9.5.7 also addresses a few vulnerabilities without CVE ratings such as password hashes being returned in some API responses and unauthorized file uploads. Many features have been deprecated, replaced or temporarily disabled until further notice in version 9.5.7 as well. For the full details, please see the release notes for VSA 9.5.7a (188.8.131.5294).
Binary Defense highly recommends on-premise Kaseya VSA customers apply update 9.5.7a as soon as possible to prevent exploitation. The now-patched vulnerabilities saw exploitation by the REvil ransomware operators, encrypting the clients of many Kaseya customers. The release notes also provide a “VSA SaaS Startup Guide” and “VSA SaaS Security Best Practices Guide” for SaaS-based customers as well. Upon updating, all users will be forced to change their passwords. VSA administrators are highly encouraged to read through the full release notes to see what features have been modified or disabled for security reasons.