Kaseya Full Disclosure
04 Apr 2022 - Frank Breedijk
In honor of our appearance on the Ransomware Files podcast episode #6 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya’s customers.
The details can be found in our CVE entries:
- CVE-2021-30116 - Unauthenticated credentials leak via client download page
- CVE-2021-30117 - SQL injection in Kaseya VSA Unified Remote Monitoring & Management (RMM)
- CVE-2021-30118 - Unauthenticated Arbitrary File Upload with Web server rights
- CVE-2021-30119 - Authenticated reflective XSS
- CVE-2021-30120 - Bypass 2FA
- CVE-2021-30121 - Semi-authenticated local file inclusion
- CVE-2021-30201 - Unauthenticated XML Entity Attack (XXE)
In addition, we have published a translation of the chapter on Kaseya VSA from Gerard Jansssen’s book Hackers which gives a behind the scenes look at what happened at the time.
We are also releasing two github repositories:
- Kaseya-scanning - This repository contains the scripts we used to find exposed Kaseya VSA instances
- Kaseya-2021-00002 - This repository contains proof of concept code and NSE scripts related to the vulnerabilities
Last modified: 18 Jan 2023 13:28