Kaseya releases security patches for critical vulnerabilities in its Virtual System Administrator (VSA) after facing Cyber attack.
Who is Kaseya?
Kasaya Virtual System Administrator (VSA) provides a cloud-based IT management and remote monitoring solution for managed service providers (MSPs). It offers a centralized console for monitoring and managing endpoints, automating IT processes, deploying security patches, and controlling access via two-factor authentication.
What Happened?
Ransomware attack identified in Kaseya systems. Wietse Boonstra, a DIVD security researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks.
REvil group posted on their dark web data leak site. “On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,”
CISA was issued guidelines.
CISA and FBI issued guidelines for MSPs and their Customers Affected by the Kaseya Virtual System Administrator (VSA) Supply-Chain Ransomware Attack.
Kaseya Releases Updates
Following is a detailed list of vulnerability reference disclosures addressed in this release:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where the secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server.
- Following is a list of recently disclosed vulnerabilities that were fixed in previous VSA Releases:
Fixed in VSA 9.5.5:
- Remote Code Execution vulnerability: CVE-2021-30118
Fixed in VSA 9.5.6:
- SQL injection vulnerability: CVE-2021-30117
- Local File Inclusion vulnerability: CVE-2021-30121
- XML External Entity vulnerability: CVE-2021-30201
Authentication
THIS RELEASE WILL FORCE ALL USERS TO CHANGE THEIR PASSWORD UPON LOGIN.
After installing this patch, all users will be re-directed to the System > User Settings > Change Logon page, where they will be required to change their password. The page has been updated with the new password requirements.
All VSA users must use a strong password. The following changes have been made to System > Server Management > Logon Policy:
- Require password change cannot be more than 30 days
- Enforce minimum password length cannot be less than 16 characters
- Prohibit password reuse cannot be less than 5 passwords
- All complexity rules are now enforced by the system
