DIVD-2021-00014 - Kaseya Unitrends

Our reference DIVD-2021-00014
Case lead Victor Gevers
Researcher(s)
CVE(s)
  • n/a
Product Kaseya Unitrends
Versions
  • Server < 10.5.5-2
  • Client, currently unpatched all versions likely vulnerable
Recommendation Do not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.
Patch status Server side vulnerabilities patched in v10.5.5-2, no patches available for the client
Workaround Workaround available for the client, in Kaseya knowledge base
Status Open
Last modified 12 Aug 2022 11:21

Summary

A DIVD researcher has identified three vulnerabilities in the Kaseya Unitrends backup product.

Server software prior to v10.5.5-2 is vulnerable to:

Client software (any version) is currently vulnerable to:

What you can do

Patch server software to at least version 10.5.5-2 to remove these vulnerabilities. As per Kaseya’s firewall requirements you are strongly advised not to expose this product to public internet.

The client side vulnerability can current only be mitigated with firewall rules. Filter traffic to and from the client using the recommened mitigation from the knowledge base article.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels.

Timeline

Date Description
02 Jul 2021 Vulnerabilities discovered.
03 Jul 2021 Vendor informed.
03 Jul 2021-
12 Aug 2021		 Vendor works on server patch
03 Jul 2021
?		 Vendor works on client patch
14 Jul 2021 Scanning internet-facing implementations.
15 Jul 2021 Start of the identification of possible vulnerable internet-facing systems.
12 Aug 2021 Patches relesed for the Unitrends server (v10.5.5-2) that address these vulnerabilities
06 Sep 2021 Added official CVE numbers to this case and site
gantt title DIVD-2021-00014 - Kaseya Unitrends dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00014 - Kaseya Unitrends (still open) :2021-07-02, 2023-04-03 section Events Vulnerabilities discovered. : milestone, 2021-07-02, 0d Vendor informed. : milestone, 2021-07-03, 0d Vendor works on server patch (40 days) : 2021-07-03, 2021-08-12 Vendor works on client patch (?d): 2021-07-03, 2023-04-03 Scanning internet-facing implementations. : milestone, 2021-07-14, 0d Start of the identification of possible vulnerable internet-facing systems. : milestone, 2021-07-15, 0d Patches relesed for the Unitrends server (v10.5.5-2) that address these vulnerabilities : milestone, 2021-08-12, 0d Added official CVE numbers to this case and site : milestone, 2021-09-06, 0d