I. Overview

Kaseya officially disclosed a Kaseya VSA remote code execution vulnerability (CVE-2021-30116). Remote attackers can exploit this vulnerability to implement SQL injection, VSA authentication bypass, and malicious file upload, to control the VSA management system without identity authentication. According to Kaseya, malware including REvil has been exploiting VSA vulnerabilities to launch ransomware attacks.

Kaseya VSA is a piece of software used for centralized enterprise IT management. If you are a Kaseya VSA user, check your system and implement timely security hardening.

References:

https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/

https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

All Kaseya VSA versions

IV. Security Recommendations

No official patch has been released to fix the vulnerability. Perform the following steps to mitigate the risk:

1. Disconnect the local VSA server from the network and keep the device offline.

2. Use the official Kaseya VSA detection tool to detect VSA-controlled devices. Download link: https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.