CVE-2017-18362 Scanner

The Kaseya VSA ConnectWise ManagedITSync is a widely utilized integration tool used by IT service management and managed service providers to synchronize data between Kaseya VSA and ConnectWise. This software is primarily used to enhance functionalities, streamline operations, and manage extensive IT infrastructures effectively. IT professionals and organizations leverage this integration to automate tasks, process incidents, synchronize configuration items, and ensure seamless accountability in service delivery. It is designed to improve operational efficiencies, reduce manual efforts, and enhance the overall service delivery quality for managed services. The integration also provides extensive reporting capabilities, thus allowing for better tracking and insights into infrastructure management.

Remote Code Execution (RCE) vulnerability allows an attacker to remotely execute arbitrary code on a target system or network. In this specific case with Kaseya VSA ConnectWise ManagedITSync, the vulnerability was associated with unauthenticated remote commands on the managed interface. This indicates a potential path for attackers to execute unwanted commands, manipulate database entries, or even deploy malicious payloads. As RCE is critical in nature, attackers gaining such access could lead to severe impacts including unauthorized access to sensitive data, full control of systems, and potential lateral movement within a network.

The vulnerability in question is notably linked to how the ManagedIT.asmx page of ConnectWise ManagedITSync handles SQL queries. With the vulnerability discovered in the 2017 version of Kaseya VSA, attackers were able to exploit unauthenticated remote commands to run arbitrary SQL queries. The problematic endpoint, ManagedIT.asmx, when exposed, could be accessed by anyone who could then issue SQL commands without authentication, making both read and write database operations vulnerable. This indicates poor input validation and inadequate security measures on key web service pages exposed through the Kaseya interface.

When exploited by malicious actors, this vulnerability can have dire consequences for any organization using Kaseya VSA. Possible effects include unauthorized access to the database with capabilities to read, alter, or delete data. This could lead to significant data breaches, data loss, and corruption of organizational data, undermining business operations and data integrity. Additionally, in practice, it was noted that attackers could use this vulnerability as an entry point for deploying ransomware payloads, causing significant operational and reputational damage, and potential financial loss through ransom payments.

REFERENCES

• https://github.com/kbni/owlky
• https://www.huntress.com/blog/cve-2017-18362-arbitrary-sql-injection-in-mangeditsync-integration-ba142ff24f4d