Report DIVD-2021-00002 - KASEYA VSA

Report DIVD-2021-00002 - KASEYA VSA

Written on 02 Dec 2021 by Gerard Janssen

Case lead: Frank Breedijk
Researchers: Wietse Boonstra , Victor Gevers , Joost Hendricksen , and Lennaert Oudshoorn
Case file: DIVD-2021-00002

On March 23, DIVD researcher Wietse Boonstra found six zero-day vulnerabilities in IT management software from Kaseya, a Miami-based company. Kaseya VSA (Virtual Systems Administrator) is a remote software management tool that can be used to perform just about any system administration task like installing software, applying patches, adding users, or creating backups. It is a tool – mostly – Managed Service Providers (MSP’s) use to control the systems of their customers. By outsourcing the system administration, smaller organizations can save costs and focus on growing their business. In theory, MSPs also reduce security risk. But if this kind of software is compromised, many clients are at risk.

After realizing the possible impact of the vulnerabilities, DIVD-CSIRT manager Frank Breedijk wrote a detailed writeup, including the Proof of Concept codes of Wietse Boonstra and a Nmap script. DIVD chairman Victor Gevers used his contacts to initiate a Coordinated Vulnerability Disclosure process with Kaseya. After the first scan of Kaseya VSA-portals on the internet, DIVD found a total of 2,000+ MSPs, each with many customers under their management. In total, we were dealing with potentially millions of victims.

Kaseya responded promptly and cooperatively. After DIVD contacted Kaseya, CTO Dan Timpson worked with his team to fix the issues. Most of the vulnerabilities were fixed, and patches were sent to the MSPs. The last one, {CVE-2021-30116}, a vulnerability consisting of the leaking of credentials, took more time to fix.

July 2 – at the start of the 4th of July weekend – ransomware gang Revil attacked many Kaseya VSA instances. That attack also exploited this same vulnerability, leaking of credentials, gaining authenticated access to a part of the Kaseya customer portal. Kaseya immediately contacted Wietse Boonstra and Victor Gevers to help out and scan and warn all potential victims. Lennaert Oudshoorn, Joost Hendrickx, and Frank Breedijk soon joined in scanning all IP addresses for the presence of KaseyaVSA repeatedly and to send messages to the MSPs to turn off Kaseya VSA immediately. We also shared this list with Kaseya, who did their share in notifying their customers. Because our fingerprint contained a customer ID, Kaseya was able to link the instances to the customer and provided them with concrete information: turn off Kaseya VSA instance on this IP address. In the first 48 hours, the instances that were reachable from the internet dropped from 2.000+ to 140. By working closely with trusted partners and national CERTs, the number of servers in The Netherlands dropped to zero that Sunday afternoon.

Timeline

Date Description
02-04-2021 The CVE IDs of the vulnerabilities Wietse Boonstra found were requested, without publication of any details.
{CVE-2021-30116}: unauthenticated credentials leak via client download page, CVSS score 10.
{CVE-2021-30117}: Semi authenticated SQL Injection, CVSS score 9.9.
{CVE-2021-30118}: Unauthenticated Arbitrary File upload with web server rights, leading to arbitrary code execution, CVSS score 9.8.
{CVE-2021-30119}: Authenticated Reflective XSS possibilities, CVSS score 5.4.
{CVE-2021-30120}: Two-factor Authentication bypass, CVSS score 9.9.
{CVE-2021-30121}: Local file inclusion, CVSS score 6.5
02-04-2021 April 2. Wietse Boonstra found another vulnerability.
{CVE-2021-30201}: An XML-External Entity Vulnerability, CVSS score 5.4.
02-04-2021 DIVD scanned the internet to find vulnerable Kaseya systems open to the internet.
04-04-2021 DIVD started identifying possible victims with internet-facing systems.
06-04-2021 First contact was made with Kaseya. The same day DIVD sent an email to its trusted informant sharing partners.
07-04-2021 First joined Kaseya/DIVD video conference.
08-04-2021 A new scan was performed. 1.799 vulnerable systems were found.
12-04-2021 Kaseya CTO Dan Timpson sent an email reporting that technicians are working on a patch.
14-04-2021 CVE’s approved by MITRE.
15-04-2021 Kaseya sent a notification that the programmers patched its cloud service for the first set of vulnerabilities.
08-05-2021 {CVE-2021-30117}, {CVE-2021-30121}, and {CVE-2021-30201} were patched by Kaseya.
18-05-2021 Kaseya released version VSA 9.5.5, resolving {CVE-2021-30118}.
19-05-2021 A combination of Zmap and Shodan scans showed 2.333 Kaseya instances are connected to the internet.
20-05-2021 Kaseya released version 9.5.6, in which CVE 117, 118, 121, and 201 were patched, 116, 119, and 120 were still ‘open’.
04-06-2021 DIVD handed over a list of KaseyaVSA hosts to Kaseya.
23-06-2021 The latest patch was tested.
26-06-2021 Kaseya released version ‘9.5.7 on Saas’, resolving {CVE-2021-30116} and {CVE-2021-30119}.
02-07-2021 Wietse Boonstra was contacted to help Kaseya deal with the ransomware attack. DIVD cooperated with Kaseya in notifying people to shut down Kaseya. After July 2, the DIVD performed a daily scan to detect vulnerable Kaseya VSA servers and sends notifications to network owners, directly or via the known abuse channels, Gov-CERTs, and other trusted channels. This list is also shared with Kaseya.
04-07-2021 The DIVD celebrates that the number of instances in the Netherlands is reduced to zero.
08-12-2021 Dutch list received by DIVD CSIRT