CVE-2021-30118 Scanner

Kaseya VSA is a comprehensive IT management platform used by managed service providers (MSPs) and enterprise IT departments. It offers features for monitoring, managing, and automating IT environments from a unified interface. This software is predominantly employed for remote management of workstations, servers, and network devices, facilitating tasks like patch management, software deployment, and remote support. Integrated into the operations of businesses globally, Kaseya VSA provides significant efficiency enhancements in IT operations. The software's flexibility and integration capabilities have made it integral in complex IT infrastructures. Its usage spans across various industries demanding robust IT management solutions.

The Remote Code Execution (RCE) vulnerability identified in Kaseya VSA allows attackers to execute arbitrary code on the vulnerable server. This critical flaw arises from an unauthenticated arbitrary file upload mechanism in the Kaseya VSA software. The vulnerable endpoint '/SystemTab/uploader.aspx' incorrectly manages file uploads, permitting the execution of hostile code. Attackers exploit this by uploading malicious scripts which are subsequently executed in the context of the web server. This breach can compromise a system's confidentiality, integrity, and availability. If exploited, it poses severe threats, including unauthorized data access and control over the entire system.

Technically, the vulnerability occurs as the '/SystemTab/uploader.aspx' endpoint allows unauthenticated users to upload files with arbitrary content. It uses the 'qqfile' parameter to dictate filename and 'PathData' for the directory where the file is saved. Although a sessionId cookie is required, the server fails to validate its authenticity, enabling the bypass of authentication mechanisms. This allows the attacker to upload files to the server's writable directories. Subsequently, malicious scripts can be executed, granting attackers unauthorized access and control. The exploitation involves constructing a POST request that leverages these vulnerable parameters to execute commands.

Exploitation of this vulnerability can have catastrophic effects on the targeted host. Attackers can achieve complete control over the server, potentially altering, deleting, or stealing sensitive information. It exposes organizations to data breaches, operational disruptions, and possible compliance violations. The impact is significant as the compromise of one system could lead to further breaches within the network. Such vulnerabilities can also be a foothold for lateral movement across IT infrastructures. Organizations could face severe financial and reputational damage due to unauthorized system access and data exfiltration.

REFERENCES

• https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
• https://csirt.divd.nl/CVE-2021-30118
• https://csirt.divd.nl/DIVD-2021-00011
• https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021
• https://nvd.nist.gov/vuln/detail/CVE-2021-30118