DIVD-2021-00014 - Kaseya Unitrends

Our reference DIVD-2021-00014
Case lead Frank Breedijk
Author Victor Gevers and Frank Breedijk
Researcher(s)
CVE(s)
Product Kaseya Unitrends
Versions
  • Server < 10.5.5-2
  • Client < 10.6.2
Recommendation Patch the client and server components to the latest version. We recommend not to expose this service or the clients directly to the internet but to use additional access control measures in front of it.
Patch status Patches available
Workaround Workaround available for the client, in Kaseya knowledge base
Status Closed
Last modified 05 Jul 2023 11:20 CEST

Summary

A DIVD researcher has identified three vulnerabilities in the Kaseya Unitrends backup product.

Server software prior to v10.5.5-2 is vulnerable to:

Client software prior to v10.6.2 is vulnerable to:

What you can do

Patch server software to at least version 10.5.5-2 to remove these vulnerabilities. As per Kaseya’s firewall requirements you are strongly advised not to expose this product to public internet.

patch clients softwate to at least version 10.6.2. The client side vulnerability can also be mitigated with firewall rules. Filter traffic to and from the client using the recommended mitigation from the knowledge base article.

What we were doing

The Dutch Institute for Vulnerability Disclosure (DIVD) performed a scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels.

Timeline

Date Description
02 Jul 2021 Vulnerabilities discovered.
03 Jul 2021 Vendor informed.
03 Jul 2021-
04 Jul 2021		 Time to acknowledge security issue
14 Jul 2021 Scanning internet-facing implementations.
15 Jul 2021 Start of the identification of possible vulnerable internet-facing systems.
03 Jul 2021-
12 Aug 2021		 Time to fix server side vulnerabilities
12 Aug 2021 Patches released for the Unitrends server (v10.5.5-2) that address CVE-2021-40385 and CVE-2021-40387
01 Sep 2021 CVE records published by Mitre
06 Sep 2021 Added official CVE numbers to this case and site
04 Jul 2021-
06 Apr 2022		 Time to fix client side vulnerabilities
06 Apr 2022 Patches released for the Unitrends client (v10.6.2) that (silently) address CVE-2021-40386
05 Jul 2023 Case closed
gantt title DIVD-2021-00014 - Kaseya Unitrends dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00014 - Kaseya Unitrends (733 days) :2021-07-02, 2023-07-05 section Events Vulnerabilities discovered. : milestone, 2021-07-02, 0d Vendor informed. : milestone, 2021-07-03, 0d Time to acknowledge security issue (1 days) : 2021-07-03, 2021-07-04 Scanning internet-facing implementations. : milestone, 2021-07-14, 0d Start of the identification of possible vulnerable internet-facing systems. : milestone, 2021-07-15, 0d Time to fix server side vulnerabilities (40 days) : 2021-07-03, 2021-08-12 Patches released for the Unitrends server (v10.5.5-2) that address CVE-2021-40385 and CVE-2021-40387 : milestone, 2021-08-12, 0d CVE records published by Mitre : milestone, 2021-09-01, 0d Added official CVE numbers to this case and site : milestone, 2021-09-06, 0d Time to fix client side vulnerabilities (276 days) : 2021-07-04, 2022-04-06 Patches released for the Unitrends client (v10.6.2) that (silently) address CVE-2021-40386 : milestone, 2022-04-06, 0d Case closed : milestone, 2023-07-05, 0d