DIVD-2021-00011 - Kaseya VSA Disclosure

Our reference	DIVD-2021-00011
Case lead	Frank Breedijk
Author	Lennaert Oudshoorn
Researcher(s)	Wietse Boonstra Lennaert Oudshoorn Victor Gevers Frank Breedijk Hidde Smit
CVE(s)	CVE-2021-30116 CVE-2021-30117 CVE-2021-30118 CVE-2021-30119 CVE-2021-30120 CVE-2021-30121 CVE-2021-30201
Product	Kaseya VSA
Versions	All on-premise Kaseya VSA versions.
Recommendation	All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
Status	Closed
Last modified	12 Aug 2022 11:21

Summary

One of our researchers found multiple vulnerabilities in Kaseya VSA, which we were in the process of responsible disclosure (or Coordinated Vulnerability Disclosure) with Kaseya, before all these vulnerabilities could be patched a ransomware attack happened using Kaseya VSA.

Ever since we released the news that we indeed notified Kaseya of a vulnerability used in the ransomware attack, we have been getting requests to release details about these vulnerabilities and the disclosure timeline. In line with the guidelines for Coordinated Vulnerability Disclosure we have not disclosed any before 7 Juli 2021. And we have now released the full details of the vulnerabilities we discovered.

The vulnerabilities

We notified Kaseya of the following vulnerabilities:

CVE-2021-30116 - A credentials leak and business logic flaw, to be included in 9.5.7
CVE-2021-30117 - An SQL injection vulnerability, resolved in May 8th patch.
CVE-2021-30118 - A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
CVE-2021-30119 - A Cross Site Scripting vulnerability, to be included in 9.5.7
CVE-2021-30120 - 2FA bypass, to be resolved in v9.5.7
CVE-2021-30121 - A Local File Inclusion vulnerability, resolved in May 8th patch.
CVE-2021-30201 - A XML External Entity vulnerability, resolved in May 8th patch.

What you can do

All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.

Kaseya has released a Detection tool tool help determine if a system has been compromised.

Cado Security has made a github repository with Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack.

We recommend that any Kaseya server is carefully checked for signs of compromise before taking it back into service, including, but not limited to, the IoCs published by Kaseya.

What have done

The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya VSA servers and notify the owners directly or via the known abuse channels, Gov-CERTs, and other trusted channels.

We have identified this server by downloading the paths ‘/’, ‘/api/v1.5/cw/environment’ and ‘/install/kaseyalatestversion.xml’ and matching patterns in these files.

In the past few days we have been working with Kaseya to make sure customers turn off their systems, by tipping them off about customers that still have systems online, and hope to be able to continue to work together to ensure that their patch is installed everywhere.

Timeline

Date	Description
01 Apr 2021	Research start
02 Apr 2021	DIVD starts scanning internet-facing implementations.
04 Apr 2021	Start of the identification of possible victims (with internet-facing systems).
06 Apr 2021	Kaseya informed.
06 Apr 2021- 08 May 2021	Time to fix CVE-2021-30118
10 Apr 2021	Vendor starts issuing patches v9.5.5. Resolving CVE-2021-30118.
06 Apr 2021- 08 May 2021	Time to fix CVE-2021-30117 and CVE-2021-30121
08 May 2021	Vendor issues another patch v9.5.6. Resolving CVE-2021-30117, CVE-2021-30121, CVE-2021-30201.
04 Jun 2021	DIVD CSIRT hands over a list of identified Kaseya VSA hosts to Kaseya.
06 Apr 2021- 26 Jun 2021	Time to fix CVE-2021-30119
26 Jun 2021	Kaseya released 9.5.7 on SaaS Resolving CVE-2021-30116 and CVE-2021-30119.
02 Jul 2021	DIVD responds to the ransomware, by scanning for Kaseya VSA instances reachable via the Internet and sends out notifications to network owners
06 Apr 2021- 07 Jul 2021	Time to disclosure
07 Jul 2021	Limited publication (after 3 months).
26 Jun 2021- 04 Apr 2022	Time from fix to full disclosure
04 Apr 2022	Full disclosure

gantt title DIVD-2021-00011 - Kaseya VSA Disclosure dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00011 - Kaseya VSA Disclosure (97 days) :2021-04-01, 2021-07-07 section Events Research start : milestone, 2021-04-01, 0d DIVD starts scanning internet-facing implementations. : milestone, 2021-04-02, 0d Start of the identification of possible victims (with internet-facing systems). : milestone, 2021-04-04, 0d Kaseya informed. : milestone, 2021-04-06, 0d Time to fix CVE-2021-30118 (32 days) : 2021-04-06, 2021-05-08 Vendor starts issuing patches v9.5.5. Resolving CVE-2021-30118. : milestone, 2021-04-10, 0d Time to fix CVE-2021-30117 and CVE-2021-30121 (32 days) : 2021-04-06, 2021-05-08 Vendor issues another patch v9.5.6. Resolving CVE-2021-30117, CVE-2021-30121, CVE-2021-30201. : milestone, 2021-05-08, 0d DIVD CSIRT hands over a list of identified Kaseya VSA hosts to Kaseya. : milestone, 2021-06-04, 0d Time to fix CVE-2021-30119 (81 days) : 2021-04-06, 2021-06-26 Kaseya released 9.5.7 on SaaS Resolving CVE-2021-30116 and CVE-2021-30119. : milestone, 2021-06-26, 0d DIVD responds to the ransomware, by scanning for Kaseya VSA instances reachable via the Internet and sends out notifications to network owners : milestone, 2021-07-02, 0d Time to disclosure (92 days) : 2021-04-06, 2021-07-07 Limited publication (after 3 months). : milestone, 2021-07-07, 0d Time from fix to full disclosure (282 days) : 2021-06-26, 2022-04-04 Full disclosure : milestone, 2022-04-04, 0d

DIVD CSIRT