CVE-2021-30118:Kaseya VSA RMM 9.5.4.2149 contains an unauthenticated arbitrary file upload vulnerability in the /SystemTab/uploader.aspx API that allows attackers to execute arbitrary code with web server privileges.

splash
Back

Description Preview

CVE-2021-30118 affects Kaseya VSA Unified Remote Monitoring & Management (RMM) version 9.5.4.2149 and earlier. The vulnerability exists in the /SystemTab/uploader.aspx API endpoint which fails to properly validate authentication and file uploads. An unauthenticated attacker can exploit this vulnerability to upload arbitrary files to any location where the web server has write access, including the web root directory. By uploading malicious ASP/ASPX files to the web root, attackers can execute arbitrary code with the privileges of the web server process. This vulnerability was part of the attack chain used in the widespread Kaseya ransomware incident of July 2021.

Overview

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability stems from two critical security flaws in the Kaseya VSA system:

  1. The /SystemTab/uploader.aspx API endpoint requires a sessionId cookie, but does not properly validate it. Any numeric value is accepted as valid, allowing authentication bypass.

  2. Once authentication is bypassed, an attacker can control both the filename (via the qqfile parameter) and the destination path (via the PathData parameter) when uploading files.

These issues combined allow attackers to upload malicious files (such as web shells) to the server's web root directory, which can then be executed by accessing the corresponding URL. The vulnerability gives attackers the ability to execute code with the privileges of the web server process, potentially leading to complete system compromise.

Remediation

To remediate this vulnerability, organizations should:

  1. Update Kaseya VSA to version 9.5.5 or later, which contains fixes for this vulnerability. The patch was released on April 10, 2021.

  2. If immediate patching is not possible:

    • Implement network segmentation to restrict access to the Kaseya VSA server
    • Monitor for suspicious file uploads and execution attempts
    • Consider temporarily disabling external access to the VSA server until patching is complete

  3. After patching, conduct a thorough security review to identify any potential compromise that may have occurred before the vulnerability was addressed.

  4. Review and strengthen authentication mechanisms for all web applications, ensuring proper session validation.

  5. Apply the principle of least privilege to web server processes, limiting what directories they can write to.

References

  1. DIVD CSIRT Limited Disclosure: https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
  2. DIVD CVE-2021-30118 Details: https://csirt.divd.nl/CVE-2021-30118
  3. DIVD Case DIVD-2021-00011: https://csirt.divd.nl/DIVD-2021-00011
  4. Kaseya VSA 9.5.5 Release Notes (containing the fix): https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background