On-Premises Software Patched, SaaS to Come Online Again
Miami-based software company Kaseya released patches on Sunday for its monitoring and management software that was exploited by a ransomware group.
Kaseya has released fixes for the on-premises version of its Virtual System Administrator, or VSA, software. Kaseya said in its advisory that it expected that the software-as-a-service version of VSA, which has also been patched, would incrementally come back online.
The updated versions of both the on-premises and SaaS version are tagged VSA 9.5.7a. Kaseya has updated a guide for organizations to safely restart VSA and has support staff ready to help customers, says Mike Sanders, executive vice president, in a video update earlier on Sunday.
The new version fixes CVE-2021-30116, a credential leak and business logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a vulnerability that allowed two-factor authentication to be bypassed.
The update also fixes three other issues, Kaseya says.
Kaseya describes one issue as a problem where a secure flag was not used for user portal session cookies. Another fix stops an issue where a password hash was exposed, increasing the chance of a successful brute force attack. The last patch fixes a bug that could allow unauthorized uploading of files to a VSA server.
Those three vulnerabilities were the last of seven vulnerabilities Kaseya has been working to fix since April when it was first alerted by Dutch researchers of problems in its VSA software.
The vulnerabilities were found by Wietse Boonstra, a researcher with the Dutch Institute of Vulnerability Disclosure (DIVD), which is a volunteer group of security researchers. DIVD notified Kaseya on April 6 of vulnerabilities in VSA.
DIVD discovered seven vulnerabilities, all of which affected on-premises VSA and six of which affected the SaaS version of VSA. Kaseya was still working on fixes for the problems when actors affiliated with the REvil ransomware group struck on July 2 (see Kaseya Raced to Patch Before Ransomware Disaster).
VSA is software used by managed service providers to manage the IT infrastructure of their clients. REvil masked ransomware as an update for VSA’s agent software, which runs on endpoints. VSA is designed to let remote administrators update, adjust and deliver software, so the attackers used VSA as it was intended, enabling a mass ransomware attack.
Kaseya has said that up to 60 of its own customers were infected, with up to 1,500 of those organizations’ clients. That has included small businesses such as accounting offices and restaurants, but also much larger companies such as Sweden’s Coop grocery chain, whose point-of-sale devices were infected via its own MSP’s Kaseya software (see Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).