In July, Kaseya announced three new zero-day vulnerabilities impacting its Kaseya Unitrends service. The vulnerabilities were represented by an authenticated RCE flaw on the server, a privilege escalation flaw from read-only user to admin on the server, and an undisclosed issue on the client side.
According to the then published public advisory warning, the Kaseya service should have been kept off the internet until a patch was made available. “Do not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities,” DIVD CSIRT’s recommendation said.
How were the three Kaseya Unitrends vulnerabilities discovered?
“The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels,” according to the original advisory.
Following these events, on August 12, the company released version 10.5.5-2 of Unitrends that patched the server side flaws. However, the client-side vulnerability remains unpatched. Thus,
Patch and Mitigate, Says Kaseya
Kaseya is now urging users to mitigate the issue via Firewall rules according to their best practices and requirements. The company has also provided a knowledge base article about “whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running.”
Unitrends customers are advised to patch the vulnerable servers and apply the mitigations for the client-side issue.