Kaseya Releases Advisory on How to Mitigate Unpatched Zero-Day on ‘Unitrends’ Client
- Kaseya warns its clients of three zero-days, two on the server and one on the client-side.
- The latter requires mitigations through firewall rules, as there is no patch to address it out yet.
- The three flaws are generally more difficult to exploit than the ones that REvil used to compromise the VSA.
Kaseya has released a report to warn about the need to patch two zero-day vulnerabilities that have the potential to lead to authenticated remote code execution and a privilege escalation from read-only user to admin on the server. The flaws affect the ‘Unitrends’ product, which is Kaseya’s cloud-based enterprise backup and disaster recovery technology, also deployed as an add-on to the VSA, the remote management platform through which REvil launched a widespread ransomware attack in July 2021.
The details about the third flaw remain undisclosed for now, and there is no patch to address the problem. Since it's a client-side issue, users need to mitigate it themselves. Kaseya has posted a detailed article on how to set up your firewall securely and mitigate the risks, with the most underlined advice being never to expose the appliance Web UI or SSH connections to open external ports. For more details, check out this backup agent firewall rules guide which has been updated with info on how to address the unpatched problem.
Apart from publishing the advisory, Kaseya has also reached out to Unitrends customers with detailed instructions on how to patch their servers and how to apply client-side mitigations, so if you’re running version 10.5.5 or earlier, pay attention to the advisory and take the proper securing action. For the client, all versions are vulnerable, but it is believed that the number of vulnerable instances is small.
The Dutch Institute for Vulnerability Disclosure (DIVD) discovered the two fixed flaws back in July, and Kaseya released the fix on August 12, 2021. All in all, this disclosure comes almost two months after Kaseya suffered the attack and one month after they got a master decryption key from Sodinokibi. It is important to clarify that these flaws are unrelated to that incident, as the ransomware gang used a different set of flaws to compromise the VSA. Finally, these three flaws are not as trivial to exploit as the VSA zero-days were.