Kaseya has patched vulnerabilities in its VSA software that ransomware actors leveraged in a massive attack that used managed service providers to encrypt the data of about 1,500 business customers.
The patch included in the VSA 9.5.7a release for on-premises versions of Kaseya’s remote monitoring solution was published Sunday afternoon, and all the company’s software-as-a-service (SaaS) customers were back online by early this morning, according to updates on the software company’s website.
As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch.
We will continue to post updates as new information becomes available.
According to BleepingComputer, seven vulnerabilities were discovered by the Dutch Institute for Vulnerability Disclosure in April, and Kaseya had already patched most of the VSA SaaS service, but had not yet completed the patches for on-premises versions.
That’s where the REvil ransomware gang capitalized, leveraging those vulnerabilities on July 2 against about 60 MSPs using on-premises VSA servers for their customers.
It is unclear which vulnerabilities were leveraged in the attack, but BleepingComputer postulates that it could have been a combination of a credentials leak and business logic flaw, a cross site scripting vulnerability, and a two-factor authentication bypass.
Once the attack was discovered, Kaseya urged customers to shut down their on-premise VSA servers until a patch was published.
According to Kaseya’s website, the patch fixes these issues:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- An issue where the secure flag was not being used for User Portal session cookies.
- An issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- A vulnerability that could allow the unauthorized upload of files to the VSA server.
Previous VSA releases (9.5.5 and 9.5.6) fixed several vulnerabilities, including:
- Remote Code Execution vulnerability: CVE-2021-30118
- SQL injection vulnerability: CVE-2021-30117
- Local File Inclusion vulnerability: CVE-2021-30121
- XML External Entity vulnerability: CVE-2021-30201
After installing the patch, users will have to change their password upon login and adhere to new, stronger password requirements.
Kaseya also notes that it is no longer possible to download an agent installation package without authentication to VSA, which will impact some legitimate use cases. The ability to deploy agents to legitimate external uses will be restored in a future release, however.
It is also no longer possible to disable Agent Procedure signing and approval, and all agent procedure changes must be approved by a master admin.
The update impacts other functions of the software, including helpdesk ticketing, user portal and more. Read the company’s patch notes for more information.