DIVD-2021-00014 - Kaseya Unitrends
|Case lead||Victor Gevers|
|Recommendation||Do not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.|
|Patch status||Server side vulnerabilities patched in v10.5.5-2, no patches available for the client|
|Workaround||Workaround available for the client, in Kaseya knowledge base|
|Last modified||11 Jan 2022 11:41|
A DIVD researcher has identified three vulnerabilities in the Kaseya Unitrends backup product.
Server software prior to v10.5.5-2 is vulnerable to:
- CVE-2021-40385, a privilege escaltion vulnerability from read-only user to admin, and
- CVE-2021-40387, an authenticated remote code execution vulnerability
Client software (any version) is currently vulnerable to:
- CVE-2021-40386, a (yet) upatched and undisclosed vulnerability on the client
What you can do
Patch server software to at least version 10.5.5-2 to remove these vulnerabilities. As per Kaseya’s firewall requirements you are strongly advised not to expose this product to public internet.
The client side vulnerability can current only be mitigated with firewall rules. Filter traffic to and from the client using the recommened mitigation from the knowledge base article.
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels.
|02 Jul 2021||Vulnerabilities discovered.|
|03 Jul 2021||Vendor informed.|
03 Jul 2021
12 Aug 2021
|Vendor works on server patch|
03 Jul 2021
|Vendor works on client patch|
|14 Jul 2021||Scanning internet-facing implementations.|
|15 Jul 2021||Start of the identification of possible vulnerable internet-facing systems.|
|12 Aug 2021||Patches relesed for the Unitrends server (v10.5.5-2) that address these vulnerabilities|
|06 Sep 2021||Added official CVE numbers to this case and site|