{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-30116", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2023-10-23T13:12:39.540601", "dateReserved": "2021-04-02T00:00:00", "datePublished": "2021-07-09T00:00:00"}, "containers": {"cna": {"title": "Unauthenticated credential leak and business logic flaw in Kaseya VSA <= v9.5.6", "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-23T13:12:39.540601"}, "descriptions": [{"lang": "en", "value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/"}, {"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021"}, {"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"}, {"url": "https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/"}], "credits": [{"lang": "en", "value": "Discovered by Wietse Boonstra of DIVD"}, {"lang": "en", "value": "Additional research by Frank Breedijk of DIVD"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "DIVD-2021-00011", "discovery": "INTERNAL"}, "solutions": [{"lang": "en", "value": "Upgrade to a version after 9.5.6"}]}}}

{"cisaActionDue": "2021-11-17", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kaseya:vsa_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2019D8D-BA9B-4DE2-8628-F0776FACE360", "versionEndExcluding": "9.5.0.24", "vulnerable": true}, {"criteria": "cpe:2.3:a:kaseya:vsa_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9529A08E-3306-4D61-AD50-D66548E7427A", "versionEndExcluding": "9.5.7a", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system."}, {"lang": "es", "value": "Kaseya VSA antes de la versi\u00f3n 9.5.7 permite la divulgaci\u00f3n de credenciales, como se explot\u00f3 en la naturaleza en julio de 2021. Por defecto, Kaseya VSA on premise ofrece una p\u00e1gina de descarga donde se pueden descargar los clientes para la instalaci\u00f3n. La URL por defecto para esta p\u00e1gina es https://x.x.x.x/dl.asp. Cuando un atacante descarga un cliente para Windows y lo instala, se genera el archivo KaseyaD.ini (C:\\aArchivos de Programa (x86)\\aKaseyaXXXXXX\\aKaseyaD.ini) que contiene un Agent_Guid y AgentPassword. Este Agent_Guid y AgentPassword pueden ser utilizados para iniciar sesi\u00f3n en dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&amp;pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9). Esta solicitud autentifica al cliente y devuelve una cookie sessionId que puede ser utilizada en ataques posteriores para evadir la autenticaci\u00f3n. Problemas de seguridad descubiertos --- * La p\u00e1gina de descarga no autenticada filtra credenciales * Las credenciales del software del agente pueden ser usadas para obtener un sessionId (cookie) que puede ser usado para servicios no destinados a ser usados por los agentes * dl.asp acepta credenciales a trav\u00e9s de una solicitud GET * El acceso a KaseyaD.ini le da a un atacante acceso a suficiente informaci\u00f3n para penetrar la instalaci\u00f3n de Kaseya y sus clientes. Impacto --- A trav\u00e9s de la p\u00e1gina /dl.asp se puede obtener suficiente informaci\u00f3n para dar a un atacante un sessionId que puede ser usado para ejecutar m\u00e1s ataques (semiautenticados) contra el sistema"}], "id": "CVE-2021-30116", "lastModified": "2023-10-23T14:15:09.250", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2021-07-09T14:15:07.770", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021"}, {"source": "cve@mitre.org", "url": "https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}