CVE-2021-30116
Vulnerability from cvelistv5
Published
2021-07-09 00:00
Modified
2024-08-03 22:24
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
References
cve@mitre.orghttps://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/Third Party Advisory
cve@mitre.orghttps://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/Third Party Advisory
cve@mitre.orghttps://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021Vendor Advisory
cve@mitre.orghttps://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog

Date added: 2021-11-03

Due date: 2021-11-17

Required action: Apply updates per vendor instructions.

Used in ransomware: Known

Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30116

Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:24:59.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Discovered by Wietse Boonstra of DIVD"
        },
        {
          "lang": "en",
          "value": "Additional research by Frank Breedijk of DIVD"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813\u0026pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-23T13:12:39.540601",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/"
        },
        {
          "url": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021"
        },
        {
          "url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
        },
        {
          "url": "https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to a version after 9.5.6"
        }
      ],
      "source": {
        "advisory": "DIVD-2021-00011",
        "discovery": "INTERNAL"
      },
      "title": "Unauthenticated credential leak and business logic flaw in Kaseya VSA \u003c= v9.5.6",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-30116",
    "datePublished": "2021-07-09T00:00:00",
    "dateReserved": "2021-04-02T00:00:00",
    "dateUpdated": "2024-08-03T22:24:59.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2021-30116",
      "cwes": "[\"CWE-522\"]",
      "dateAdded": "2021-11-03",
      "dueDate": "2021-11-17",
      "knownRansomwareCampaignUse": "Known",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-30116",
      "product": "Virtual System/Server Administrator (VSA)",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the system.",
      "vendorProject": "Kaseya",
      "vulnerabilityName": "Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-30116\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-07-09T14:15:07.770\",\"lastModified\":\"2024-11-21T06:03:20.090\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\\\Program Files (x86)\\\\Kaseya\\\\XXXXXXXXXX\\\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813\u0026pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.\"},{\"lang\":\"es\",\"value\":\"Kaseya VSA antes de la versi\u00f3n 9.5.7 permite la divulgaci\u00f3n de credenciales, como se explot\u00f3 en la naturaleza en julio de 2021. Por defecto, Kaseya VSA on premise ofrece una p\u00e1gina de descarga donde se pueden descargar los clientes para la instalaci\u00f3n. La URL por defecto para esta p\u00e1gina es https://x.x.x.x/dl.asp. Cuando un atacante descarga un cliente para Windows y lo instala, se genera el archivo KaseyaD.ini (C:\\\\aArchivos de Programa (x86)\\\\aKaseyaXXXXXX\\\\aKaseyaD.ini) que contiene un Agent_Guid y AgentPassword. Este Agent_Guid y AgentPassword pueden ser utilizados para iniciar sesi\u00f3n en dl.asp (https://x.x.x.x/dl.asp?un=840997037507813\u0026amp;pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9). Esta solicitud autentifica al cliente y devuelve una cookie sessionId que puede ser utilizada en ataques posteriores para evadir la autenticaci\u00f3n. Problemas de seguridad descubiertos --- * La p\u00e1gina de descarga no autenticada filtra credenciales * Las credenciales del software del agente pueden ser usadas para obtener un sessionId (cookie) que puede ser usado para servicios no destinados a ser usados por los agentes * dl.asp acepta credenciales a trav\u00e9s de una solicitud GET * El acceso a KaseyaD.ini le da a un atacante acceso a suficiente informaci\u00f3n para penetrar la instalaci\u00f3n de Kaseya y sus clientes. Impacto --- A trav\u00e9s de la p\u00e1gina /dl.asp se puede obtener suficiente informaci\u00f3n para dar a un atacante un sessionId que puede ser usado para ejecutar m\u00e1s ataques (semiautenticados) contra el sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2021-11-03\",\"cisaActionDue\":\"2021-11-17\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Kaseya Virtual System/Server Administrator (VSA) Information Disclosure Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kaseya:vsa_agent:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.5.0.24\",\"matchCriteriaId\":\"A2019D8D-BA9B-4DE2-8628-F0776FACE360\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kaseya:vsa_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.5.7a\",\"matchCriteriaId\":\"9529A08E-3306-4D61-AD50-D66548E7427A\"}]}]}],\"references\":[{\"url\":\"https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.