Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=";</script><script>alert(1);a="&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`
{"id": "CVE-2021-30119", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-30119", "description": "Authenticated reflective XSS in HelpDeskTab/rcResults.asp The parameter result of /HelpDeskTab/rcResults.asp is insecurely returned in the requested web page and can be used to perform a Cross Site Scripting attack Example request: `https://x.x.x.x/HelpDeskTab/rcResults.asp?result=<script>alert(document.cookie)</script>` The same is true for the parameter FileName of /done.asp Eaxmple request: `https://x.x.x.x/done.asp?FileName=\";</script><script>alert(1);a=\"&PathData=&originalName=shell.aspx&FileSize=4388&TimeElapsed=00:00:00.078`", "published": "2021-07-09T14:15:00", "modified": "2022-04-29T18:15:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5}, "severity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30119", "reporter": "cve@mitre.org", "references": ["https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/", "https://csirt.divd.nl/CVE-2021-30119", "https://csirt.divd.nl/DIVD-2021-00011"], "cvelist": ["CVE-2021-30119"], "immutableFields": [], "lastseen": "2022-04-29T21:14:51", "viewCount": 89, "enchantments": {"dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2"]}, {"type": "thn", "idList": ["THN:1812C7168898D0993D0783FDC775739F"]}, {"type": "threatpost", "idList": ["THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}], "rev": 4}, "score": {"value": 0.0, "vector": "NONE"}, "twitter": {"counter": 12, "tweets": [{"link": "https://twitter.com/AusRealNews/status/1414485568013193218", "text": "RT TheHackersNews \"VSA version 9.5.7a (9.5.7.2994) ships with:\n\nCVE-2021-30116 : Credentials leak & business logic flaw\nCVE-2021-30119 : XSS vulnerability\nCVE-2021-30120 : 2-factor authentication bypass\" Stay up-to-date: https://t.co/m6tBp3UgeL?amp=1"}, {"link": "https://twitter.com/satnam/status/1414367043227242496", "text": "Patch for /hashtag/Kaseya?src=hashtag_click VSA on-premises is now available: https://t.co/VQLefy0FWI?amp=1 CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120 are now patched in version 9.5.7a."}, {"link": "https://twitter.com/threatintelctr/status/1414630833055571971", "text": " NEW: CVE-2021-30119 Cross Site Scripting (XSS) exists in Kaseya VSA before 9.5.7. Severity: MEDIUM https://t.co/eu3pXQqgCa?amp=1"}, {"link": "https://twitter.com/trip_elix/status/1414473913539694596", "text": "\"VSA version 9.5.7a (9.5.7.2994) ships with:\n\nCVE-2021-30116 : Credentials leak & business logic flaw\nCVE-2021-30119 : XSS vulnerability\nCVE-2021-30120 : 2-factor authentication bypass\""}, {"link": "https://twitter.com/uuallan/status/1414430903309320194", "text": "As promised, \u2066/KaseyaCorp\u2069 released their patch tonight. The vulnerabilities impacted both the SaaS and on-prem installs and there are 3 of them:\nCVE-2021-30116 - Credential Leak\nCVE-2021-30119 - XSS vuln\nCVE-2021-30120 - 2FA Bypass"}, {"link": "https://twitter.com/WolfgangSesin/status/1414868475261169666", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-30119 (vsa)) has been published on https://t.co/z9FV6a2HQt?amp=1"}, {"link": "https://twitter.com/TrendMicroALPS/status/1414932490419064852", "text": "Alert! /hashtag/Kaseya?src=hashtag_click hat nur die REvil-Sicherheitsl\u00fccke geschlossen. Admins sollten sofort die abgesicherte Version installieren, denn derzeit nutzen Angreifer 3 Schwachstellen (CVE-2021-30116, CVE-2021-30119, CVE-2021-30120) f\u00fcr den Erpressungstrojaner aus"}, {"link": "https://twitter.com/FBussoletti/status/1414929661579218945", "text": "/hashtag/cybersecurity?src=hashtag_click, /KaseyaCorp patches the /hashtag/VSA?src=hashtag_click /hashtag/zeroday?src=hashtag_click vulnerabilities used by /hashtag/REvil?src=hashtag_click. /BleepinComputer: The /hashtag/cybercrime?src=hashtag_click /hashtag/Ransomware?src=hashtag_click gang probably exploited one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120. /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1544471698753425413", "text": "It is the first time for me to know a protection/signature/rule for the vulnerability CVE-2021-30119.\n/hashtag/Sovv23rmep3rss?src=hashtag_click", "author": "ipssignatures", "author_photo": "https://abs.twimg.com/sticky/default_profile_images/default_profile_400x400.png"}, {"link": "https://twitter.com/ipssignatures/status/1544471698082340875", "text": "It's new to me that Astaro has a protection/signature/rule for the vulnerability CVE-2021-30119.\nhttps://t.co/slcxHp4lZU\n/search?src=sprv&q=CVE-2021-30119\nThe vuln was published 361 days ago by NIST.\n/hashtag/Sovv23rmep3rss?src=hashtag_click", "author": "ipssignatures", "author_photo": "https://abs.twimg.com/sticky/default_profile_images/default_profile_400x400.png"}]}, "backreferences": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "nessus", "idList": ["KASEYA_9_5_7_2994.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2"]}, {"type": "thn", "idList": ["THN:1812C7168898D0993D0783FDC775739F"]}, {"type": "threatpost", "idList": ["THREATPOST:E35CE2557CF4CF511B2359A81096AE4F"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "kaseya vsa", "version": 9}]}, "vulnersScore": 0.0}, "_state": {"dependencies": 1659909890, "score": 1659753002, "twitter": 1657074355, "affected_software_major_version": 1671597168}, "_internal": {}, "cna_cvss": {"cna": "MITRE", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "score": 5.4}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "kaseya:vsa", "version": "9.5.7", "operator": "lt", "name": "kaseya vsa"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:kaseya:vsa:9.5.7:*:*:*:-:*:*:*", "versionEndExcluding": "9.5.7", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/", "name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://csirt.divd.nl/CVE-2021-30119", "name": "https://csirt.divd.nl/CVE-2021-30119", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://csirt.divd.nl/DIVD-2021-00011", "name": "https://csirt.divd.nl/DIVD-2021-00011", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}]}
{"nessus": [{"lastseen": "2023-01-11T14:51:44", "description": "The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as referenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T00:00:00", "type": "nessus", "title": "Kaseya VSA < 9.5.7a Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30119", "CVE-2021-30120"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:kaseya:virtual_system_administrator", "cpe:/a:kaseya:vsa"], "id": "KASEYA_9_5_7_2994.NASL", "href": "https://www.tenable.com/plugins/nessus/151494", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151494);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-30116\", \"CVE-2021-30119\", \"CVE-2021-30120\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0033\");\n\n script_name(english:\"Kaseya VSA < 9.5.7a Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Kaseya VSA instance installed on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Kaseya VSA installed on the remote host is affected by multiple vulnerabilities as \nreferenced in the vendor advisory:\n\n - Credentials leak and business logic flaw. (CVE-2021-30116)\n\n - Cross-Site Scripting vulnerability (XSS). (CVE-2021-30119)\n\n - 2FA Authentication bypass. (CVE-2021-30120)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kaseya.com/potential-attack-on-kaseya-vsa/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Kaseya VSA version 9.5.7a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30116\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:virtual_system_administrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:kaseya:vsa\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"kaseya_vsa_detect.nbin\");\n script_require_keys(\"installed_sw/Kaseya Virtual System Administrator\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n var port = get_http_port(default:443);\n var app_info = vcf::get_app_info(app:'Kaseya Virtual System Administrator', port:port, webapp:TRUE);\n\nvar constraints = [\n { 'min_version' : '0.0', 'fixed_version' : '9.5.7.2994'}\n];\n\nvcf::kaseya_vsa::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:21", "description": "[](<https://thehackernews.com/images/-BuDOZJHtpp4/YOvGtVhVe7I/AAAAAAAADJc/k-syNb5yylI7XPNIuSCJP6bhQaEkNelXgCLcBGAsYHQ/s0/software-update.jpg>)\n\nFlorida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread [supply-chain ransomware attack](<https://thehackernews.com/2021/07/kaseya-rules-out-supply-chain-attack.html>).\n\nFollowing the incident, the company had urged on-premises VSA customers to shut down their servers until a patch was available. Now, almost 10 days later the firm has shipped [VSA version 9.5.7a (9.5.7.2994)](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) with fixes for three new security flaws \u2014 \n\n * **CVE-2021-30116** \\- Credentials leak and business logic flaw\n * **CVE-2021-30119** \\- Cross-site scripting vulnerability\n * **CVE-2021-30120** \\- Two-factor authentication bypass\n\nThe security issues are part of a total of seven vulnerabilities that were discovered and reported to Kaseya by the Dutch Institute for Vulnerability Disclosure ([DIVD](<https://thehackernews.com/2021/07/revil-used-0-day-in-kaseya-ransomware.html>)) earlier in April, of which four other weaknesses were remediated in previous releases \u2014\n\n * **CVE-2021-30117** \\- SQL injection vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30118** \\- Remote code execution vulnerability (Fixed in VSA 9.5.5)\n * **CVE-2021-30121** \\- Local file inclusion vulnerability (Fixed in VSA 9.5.6)\n * **CVE-2021-30201** \\- XML external entity vulnerability (Fixed in VSA 9.5.6)\n\nBesides fixes for the aforementioned shortcomings, the latest version also resolves three other flaws, including a bug that exposed weak password hashes in certain API responses to brute-force attacks as well as a separate vulnerability that could allow the unauthorized upload of files to the VSA server.\n\nFor additional security, Kaseya is [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403869952657>) limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on the internet firewall for on-premises installations.\n\nKaseya is also warning its customers that installing the patch would force all users to mandatorily change their passwords post login to meet new password requirements, adding that select features have been replaced with improved alternatives and that the \"release introduces some functional defects that will be corrected in a future release.\"\n\nBesides the roll out of the patch for on-premises versions of its VSA remote monitoring and management software, the company has also instantiated the reinstatement of its VSA SaaS infrastructure. \"The restoration of services is progressing according to plan, with 60% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours,\" Kaseya [said](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) in a rolling advisory.\n\nThe latest development comes days after Kaseya cautioned that spammers are capitalizing on the ongoing ransomware crisis to send out fake email notifications that appear to be Kaseya updates, only to infect customers with Cobalt Strike payloads to gain backdoor access to the systems and deliver next-stage malware.\n\nKaseya has said multiple flaws were chained together in what it called a \"sophisticated cyberattack\", and while it isn't exactly clear how it was executed, it's believed that a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 was used to carry out the intrusions. REvil, a prolific ransomware gang based in Russia, has claimed responsibility for the incident.\n\nThe use of trusted partners like software makers or service providers like Kaseya to identify and compromise new downstream victims, often called a supply-chain attack, and pair it with file-encrypting ransomware infections has also made it one of the largest and most significant such attacks to date.\n\nInterestingly, Bloomberg on Saturday reported that five former Kaseya employees had flagged the company about \"glaring\" security holes in its software between 2017 and 2020, but their concerns were brushed off.\n\n\"Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,\" the report [said](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>).\n\nThe Kaseya attack marks the third time that ransomware affiliates have abused Kaseya products as a vector to deploy ransomware.\n\nIn [February 2019](<https://www.reddit.com/r/msp/comments/ani14t/local_msp_got_hacked_and_all_clients_cryptolocked/>), the Gandcrab ransomware cartel \u2014 which later [evolved into Sodinokibi and REvil](<https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/>) \u2014 leveraged a vulnerability in a Kaseya plugin for the ConnectWise Manage software to deploy ransomware on the networks of MSPs' customer networks. Then in [June 2019](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), the same group went after Webroot SecureAnywhere and Kaseya VSA products to infect endpoints with Sodinokibi ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T04:36:00", "type": "thn", "title": "Kaseya Releases Patches for Flaws Exploited in Widespread Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T10:46:11", "id": "THN:1812C7168898D0993D0783FDC775739F", "href": "https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-13T12:49:34", "description": "Kaseya made good on its promise to issue patches by July 11.\n\nOn Saturday, the company behind the Virtual System/Server Administrator (VSA) platform that got walloped by the REvil ransomware-as-a-service (RaaS) gang in a massive supply-chain attack released urgent updates to address critical zero-day security vulnerabilities in VSA.\n\nKaseya [released the VSA 9.5.7a (9.5.7.2994) update](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) to fix three zero-day vulnerabilities used in the ransomware attacks.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe company said on its [rolling advisory page](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) that all of its software-as-a-service (SaaS) customers were back up as of this morning, while the company was still working to restore on-premises customers that needed help:\n\n> The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch. \u2014Kaseya\n\n## A Brazen Ransomware Blitz\n\nOn July 2, the [REvil gang wrenched open](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) those three VSA zero-days in [more than 5,000 attacks](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>). As of July 5, the worldwide assault had been unleashed in 22 countries, reaching not only Kaseya\u2019s managed service provider (MSP) customer base but also, given that many of them use VSA to manage the networks of other businesses, clawing at those MSP\u2019s customers.\n\nKaseya customers use VSA to remotely monitor and manage software and network infrastructure. It\u2019s supplied either as a hosted cloud service by Kaseya, or via on-premises VSA servers.\n\nFollowing the brazen ransomware attacks, CISA and FBI last week [offered guidance](<https://threatpost.com/kaseya-attack-fallout/167541/>) to victims. Threat actors were quick to exploit the situation, having planted Cobalt Strike backdoors by malspamming a [bogus Microsoft update](<https://threatpost.com/fake-kaseya-vsa-update-cobalt-strike/167587/>) along with a malicious \u201cSecurityUpdates\u201d executable.\n\nAs of July 6, Kaseya said in its [updated rolling advisory](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>) that there were fewer than 60 customers affected but far more \u2013 \u201cfewer than 1,500,\u201d it said \u2013 downstream businesses that got hit.\n\n## Kaseya Dismissed Workers\u2019 Cybersec Warnings\n\nKaseya already knew about these bugs when the attacks were launched. In April, the Dutch Institute for Vulnerability Disclosure (DIVD) had disclosed seven vulnerabilities to Kaseya.\n\nOn Saturday, [Bloomberg](<https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say>) reported that software engineering and development employees at Kaseya\u2019s U.S. offices had brought up a laundry list of \u201cwide-ranging cybersecurity concerns\u201d to company leaders multiple times over the course of three years, from 2017 to 2020. When the outlet asked Kaseya to address the anonymous workers\u2019 accusations, a Kaseya spokesperson declined, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.\n\nUPDATE 1: Dana Liedholm, senior vice president of corporate marketing for Kaseya, told Threatpost on Monday that the company has bigger fish to fry than responding to \u201crandom speculation\u201d: \u201cKaseya\u2019s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world,\u201d Liedholm said via email.\n\nUPDATE 2: Jake Williams, co-founder and CTO at incident response firm BreachQuest, told Threatpost that dismissing workers\u2019 input as being \u201cspeculation\u201d doesn\u2019t make the accusations less credible. \u201cAfter a quick analysis of the VSA server product, it\u2019s pretty easy to believe these claims,\u201d he said via email. \u201cUntil management at software development firms begin prioritizing security fixes over feature updates, we can expect incidents like this to continue. The fact that Kaseya downplayed the reported 40-page security memo as \u2018speculation\u2019, without denying its existence, is a huge red flag and lends a lot of credence to the claims.\u201d\n\nUPDATE 3: Granted, managing security is tough for any company, including software vendors, noted Dirk Schrader, global vice president of security research at New Net Technologies (NNT). That doesn\u2019t let them off the hook, though, he told Threatpost on Monday. \u201cA company can\u2019t decline doing the essentials, because that is equivalent to being negligent on the risks related to cybersecurity, and there is plenty of material about what is essential.\u201d\n\nQuick searches point to areas in Kaseya\u2019s security that could be improved, Schrader added, such as outdated certificates on networking devices and on Kaseya\u2019s own instances of VSA. \u201cIt comes down to its security operations, its processes and whether they are up to par with the current threat landscape,\u201d Schrader said.\n\nTo support his statement, Schrader pointed to Cisco IOS device(s) [with an outdated cert](<http://\\(https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\\)>) used by Kaseya itself, noting that there are a couple of IPs showing the same issue. He found multiple additional certificate issues, including [this one ](<http://\\(https://whois.arin.net/rest/net/NET-208-75-20-88-1/pft?s=208.75.20.88\\)>)and [this one](<https://whois.arin.net/rest/net/NET-23-31-43-48-1/pft?s=23.31.43.59>).\n\n## A Baker\u2019s Half-Dozen of Bugs\n\nMost of the seven vulnerabilities reported to Kaseya by DVID were patched on Kaseya\u2019s VSA SaaS service, but up until Saturday, three outstanding security holes on the VSA on-premise version still needed to be battened down. The attackers had snuck into that gap before Kaseya had a chance to bolster its on-premise VSA servers.\n\nThe three on-premise VSA bugs that Kaseya has now stomped:\n\n * [CVE-2021-30116](<https://csirt.divd.nl/cves/CVE-2021-30116>) \u2013 A credentials leak and business logic flaw, included in [version 9.5.7](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041>) rolled out on Saturday.\n * [CVE-2021-30119](<https://csirt.divd.nl/cves/CVE-2021-30119>) \u2013 A cross-site scripting (CSS) vulnerability, included in version 9.5.7.\n * [CVE-2021-30120](<https://csirt.divd.nl/cves/CVE-2021-30120>) \u2013 A bypass of two-factor authentication (2FA), included in version 9.5.7.\n\nFollowing the July 2 onslaught, Kaseya urged on-premise VSA customers to shut down their servers until the patch was ready. To punch up security still more, Kaseya is also [recommending](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403760102417>) limiting network access to the VSA Application/GUI to local IP addresses only, \u201cby blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network.\u201d\n\n## Older Bugs\n\nBesides the outstanding trio of bugs Kaseya addressed on Sunday, these are the other four vulnerabilities that DIVD disclosed and which Kaseya already fixed before the July 2 attacks:\n\n * [CVE-2021-30117](<https://csirt.divd.nl/cves/CVE-2021-30117>) \u2013 An SQL injection vulnerability, resolved in a May 8 patch.\n * [CVE-2021-30118](<https://csirt.divd.nl/cves/CVE-2021-30118>) \u2013 A remote code execution (RCE) vulnerability, resolved in an April 10 patch. (v9.5.6)\n * [CVE-2021-30121](<https://csirt.divd.nl/cves/CVE-2021-30121>) \u2013 A [local file inclusion (LFI) vulnerability](<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion>), resolved in the May 8 patch.\n * [CVE-2021-30201](<https://csirt.divd.nl/cves/CVE-2021-30201>) \u2013 An [XML external entity (XXE) vulnerability](<https://owasp.org/www-community/vulnerabilities/XML_External_Entity_\\(XXE\\)_Processing>), resolved in the May 8 patch.\n\n071221 11:58 UPDATE: Added commentary from Dana Liedholm.\n\n071221 12:13 UPDATE: Added commentary from Jake Williams.\n\n071221 12:32 UPDATE: Added commentary from Dirk Schrader.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-12T15:53:42", "type": "threatpost", "title": "Kaseya Patches Zero-Days Used in REvil Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-12T15:53:42", "id": "THREATPOST:E35CE2557CF4CF511B2359A81096AE4F", "href": "https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-07-13T17:08:07", "description": "\n\nRapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public [Reddit thread](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) documenting the scope and triage of an event that has, as of the original post date (see updates below), stemmed from 8 managed service providers. Rapid7 does not use Kaseya or a Kaseya MSP and we are not affected by this mass ransomware attack.\n\nRapid7 is updating this post as more information becomes available. Core information is below the most recent updates.\n\n### 2021-07-13\n\n * CISA has [updated their Kaseya ransomware event guidance](<https://us-cert.cisa.gov/kaseya-ransomware-attack>) for affected managed service providers and their customers.\n\n### 2021-07-11\n\n * In a video post today, Kaseya [has indicated](<https://videos.sproutvideo.com/embed/d39ddab51e14efc25a/50fb34477e68d73c?type=hd>) that they are still planning to go ahead with re-enabling an updated VSA SaaS and rollout of the on-prem VSA server update. Some runbook instructions have changed, so any organization planning on going live today should [review those changes](<https://www.kaseya.com/potential-attack-on-kaseya-vsa/>) to see if they impact your environment.\n\n### 2021-07-09\n\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [published](<https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/>) more information on the specific vulnerabilities they shared with Kaseya: \n * [CVE-2021-30116](<https://attackerkb.com/search?q=CVE-2021-30116>) \\- A credentials leak and business logic flaw, resolution in progress. [CVSS 10]\n * [CVE-2021-30117](<https://attackerkb.com/search?q=CVE-2021-30117>) \\- An SQL injection vulnerability, resolved in May 8th patch. [CVSS 9.8]\n * [CVE-2021-30118](<https://attackerkb.com/search?q=CVE-2021-30118>) \\- A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) [CVSS 9.8]\n * [CVE-2021-30119](<https://attackerkb.com/search?q=CVE-2021-30119>) \\- A Cross Site Scripting vulnerability, resolution in progress. [CVSS 5.4]\n * [CVE-2021-30120](<https://attackerkb.com/search?q=CVE-2021-30120>) \\- 2FA bypass, resolution in progress. [CVSS 9.9]\n * [CVE-2021-30121](<https://attackerkb.com/search?q=CVE-2021-30121>) \\- A Local File Inclusion vulnerability, resolved in May 8th patch. [CVSS 6.5]\n * [CVE-2021-30201](<https://attackerkb.com/search?q=CVE-2021-30201>) \\- A XML External Entity vulnerability, resolved in May 8th patch. [CVSS 7.5]\n * President Biden [urged Vladimir Putin](<https://www.nytimes.com/2021/07/09/us/politics/putin-biden-ransomware-hackers.html?referringSource=articleShare>) to \u2018take action to disrupt\u2019 Russia-based hackers behind ransomware attacks.\n\n### 2021-07-08\n\n * Kaseya has [posted a video from their CEO](<https://videos.sproutvideo.com/embed/119ddab21e19e0cd98/19739709ce717d3b?type=hd>) notifying customers that patches and VSA SaaS will likely be available this coming Sunday afternoon (July 11, 2021).\n * According to Malwarebytes, some threat actors [are capitalizing on the extended response to the Kaseya mass ransomware attack](<https://twitter.com/MBThreatIntel/status/1412518446013812737?s=20>) and are targeting victims via email with fake patches that push Cobalt Strike payloads.\n\n### 2021-07-07\n\n * Kaseya has posted runbooks for [on premesis VSAs](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) with steps on how to prepare VSA servers for the forthcoming patch. These details include the installation of FireEye's agent software along with details on how to isolate the server from production networks, and [SaaS customers](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993>) for how to prepare for the SaaS VSAs coming back online.\n\n### 2021-07-06\n\n * In a [statement posted late Monday night](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>), Kaseya provided an update on their assessment of the impact of the attack: _"we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised._\n * The Compromise Detection Tool, which was originally only provided directly to customers, [has been made public](<https://kaseya.box.com/s/p9b712dcwfsnhuq2jmx31ibsuef6xict>). The tool searches for indicators of compromise, evidence of data encryption, and the REvil ransom note.\n * Kaseya also stated that \u2014 based on advice by outside experts \u2014 customers who experienced ransomware and receive communication from the attackers _should not click on any links as they may be weaponized_.\n\n### 2021-07-05\n\n * Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger [issued a statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/04/statement-by-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-on-reporting-kaseya-compromises/>) noting that the President has directed the full resources of the government to investigate this incident and urged anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at <https://www.IC3.gov>.\n * The Associated Press [is reporting](<https://apnews.com/article/joe-biden-europe-government-and-politics-technology-business-fc0df4c42f8cd6148bf936ca24bb5cbe>) that REvil has offered a blanket decryption for all victims of the Kaseya attack in exchange for $70 million.\n * Incident responders across multiple firms are indicating the number of victim organizations is in the thousands, spanning over 18 countries.\n\n### 2021-07-04\n\n * Cado Security published [resources](<https://www.cadosecurity.com/post/resources-for-dfir-professionals-responding-to-the-revil-ransomware-kaseya-supply-chain-attack>) which can aid responders as they triage theie exposure to the mass ransomware incident.\n * CISA and the FBI have issued [guidance for MSPs and their customers](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) who have been affected by the Kaseya VSA supply-chain ransomware attack.\n\n### 2021-07-03 Update\n\n * The Washington Post has [a story with information on the ransom demands being made](<https://www.washingtonpost.com/technology/2021/07/02/kaseya-ransomware-attack/>)\n * The Dutch Institue for Vulnerability Disclosure (DIVD) [posted information](<https://csirt.divd.nl/2021/07/03/Kaseya-Case-Update/>) into their ongoing investigation and response into the Kaseya incident, which includes details on their efforts to identify and secure internet-facing VSA servers.\n * CISA posted an [initial advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack>) and is taking action to understand and address the recent supply-chain ransomware attack.\n * Bloomberg [is reporting](<https://www.bloomberg.com/news/articles/2021-07-03/number-of-victims-continues-to-grow-in-massive-ransomware-attack>) that the attack (so far) spans over 1,000 organizations across 11 countries with numerous downstream impacts.\n\n### Original/Main Content\n\nEvidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.\n\nRapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:\n\n * Disabling or uninstalling the Kaseya agent\n * If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)\n\nKaysea appears to be providing updates via their [public helpdesk page](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>) and their [status page](<https://status.kaseya.net/>) provides visibility into the status of their hosted infrastructure.\n\nResearcher [@BushidoToken](<https://twitter.com/BushidoToken>) has provided a [link to a GitHub gist containing the REvil configuration dump](<https://twitter.com/BushidoToken/status/1411054457450811397>), which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.\n\n## Rapid7 Customers\n\n### Managed Detection and Response\n\nRapid7's Managed Detection and Response (MDR) team had existing attacker behavior detections that identified Kaseya-related ransomware activity beginning on Friday, July 2, 2021. Following the initial wave of alerts on Friday, July 2, MDR sent an email communication with a `Critical Advisory` to all MDR customers with guidance on disabling Kaseya and mitigating risk. We have conducted hunts across customer environments and deployed additional detections to accelerate identification of the threat. Affected customers have been notified.\n\n### InsightIDR\n\nRapid7 has deployed the following detections in InsightIDR for attacker behavior related to the Kaseya ransomware attack:\n\n * Attacker Technique - CertUtil With Decode Flag\n * Suspicious Process - Renamed CertUtil\n * Suspicious Process - Certutil Decodes Executable File\n * Attacker Tool - KWorking\\agent.exe", "cvss3": {}, "published": "2021-07-13T16:00:00", "type": "rapid7blog", "title": "Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30116", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30119", "CVE-2021-30120", "CVE-2021-30121", "CVE-2021-30201"], "modified": "2021-07-13T16:00:00", "id": "RAPID7BLOG:2CAE6785586002C85C620CF61D6C68C2", "href": "https://blog.rapid7.com/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The third episode of Last Week\u2019s Security news, July 5 - July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.\n\nThe updates for PrintNightmare (CVE-2021-34527) [were finally released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these [patches can be bypassed](<https://twitter.com/wdormann/status/1412813044279910416>). "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE". Microsoft has updated their security update guide after that: "if you set this reg key to = 1 then the system is vulnerable by design". It seems that solving this problem requires hardening and registry monitoring.\n\nPrintNightmare exploitation just got easier. Rapid7 security [researchers have added a new module](<https://www.rapid7.com/blog/post/2021/07/09/metasploit-wrap-up-120/>) for PrintNightmare to Metasploit. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as NT AUTHORITY\\SYSTEM.\n\nThere was a lot of news regarding Kaseya, I would not say that in a week we learned something fundamentally new, but almost all guesses were confirmed. [7 CVEs that could be used in attacks became known](<https://www.rapid7.com/blog/post/2021/07/08/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) (CVE-2021-30116, CVE-2021-30117, CVE-2021-30118, CVE-2021-30119, CVE-2021-30120, CVE-2021-30121, CVE-2021-30201). Huntress Security Researcher [Caleb Stewart has successfully reproduced the Kaseya VSA exploits](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>) used to deploy REvil/Sodinokibi ransomware and released a POC demonstration video depicting an Authentication Bypass, an Arbitrary File Upload and Command Injection. [Brian Krebs also wrote about a directory traversal](<https://krebsonsecurity.com/2021/07/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software/>) vulnerability (CVE-2015-2862) on the Customer Portal portal.kaseya.net that has not been fixed since 2015. The portal "was deprecated but left up". The Compromise Detection Tool has been made public. The ransomware operators have demanded $70m for a master decryption key. Some threat actors were targeting victims via email with fake patches that push Cobalt Strike payloads. [Kaseya delays SaaS restore to Sunday July 11](<https://www.theregister.com/2021/07/09/kaseya_saas_restoration_july_11/>) and promises \u201cexponentially more secure\u201d product. And if you think that only Kaseya has such problems, you are wrong.\n\nContinuing on the theme that the security problems of service providers are your problems. [Morgan Stanley has confirmed a data breach](<https://www.darkreading.com/attacks-breaches/morgan-stanley-discloses-data-breach-/d/d-id/1341503>) in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business. While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. As you can see, 5 days for patching a critical vulnerability at the perimeter is unacceptable.\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) [has released an analysis](<https://www.cisa.gov/publication/rva>) detailing the findings from Risk and Vulnerability Assessments (RVAs) conducted during the 2020 fiscal year across industries. The officials' analysis details a sample attack path an intruder could take to compromise an organization, with weaknesses that represent the ones CISA saw in RVAs over the past year. Quite interesting stuff, especially [the infographics](<https://www.cisa.gov/sites/default/files/publications/FY20_RVAs_Mapped_to_the_MITRE_ATTCK_Framework_508_corrected.pdf>). For example, it was especially interesting to see statistics on Initial Access. Phishing links were most common and used to gain initial access in 49% of RVAs. Next were exploits of public-facing applications (11.8%), followed by phishing attachments (9.8%). Therefore, if you focus on anti-phishing and perimeter control, you are building your first line of defense correctly.\n\n[North Korean APT Lazarus Group impersonates](<https://threatpost.com/lazarus-engineers-malicious-docs/167647/>) Airbus, General Motors and Rheinmetall to lure Job-Seeking Engineers into downloading malware. This is stated in a report published by AT&T Alien Labs. The ultimate payload of the Rheinmetall document uses Mavinject.exe, a legitimate Windows component that has been used and abused before in malware activity, to perform arbitrary code injections inside any running process. The Airbus document macro executes the payload with an updated technique. The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree. So, when you suddenly see interesting job offers in your inbox, be careful.\n\n[A set of high-severity privilege-escalation vulnerabilities](<https://threatpost.com/cisco-bpa-wsa-bugs-cyberattacks/167654/>) affecting Business Process Automation (BPA) application and Cisco\u2019s Web Security Appliance (WSA) and could allow authenticated, remote attackers to access sensitive data or take over a targeted system. The fact that authentication is required makes it less interesting. In addition, these are apparently not the most popular Cisco products. But if you are using BPA or WSA, be aware.\n\n[Four security vulnerabilities](<https://thehackernews.com/2021/07/critical-flaws-reported-in-sage-x3.html>) (CVE-2020-7388, CVE-2020-7389, CVE-2020-7387, CVE-2020-7390) have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable hackers to execute malicious commands and take control of vulnerable systems. Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required.\n\nMultiple security vulnerabilities have been [disclosed in Philips Clinical Collaboration](<https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html>) Platform Portal (Vue PACS). Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system. \u0415verything related to medicine requires the strictest certification. As you can see, it doesn't help much.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-11T20:52:51", "type": "avleonov", "title": "Last Week\u2019s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7388", "CVE-2021-30117", "CVE-2021-30118", "CVE-2021-30201", "CVE-2020-7390", "CVE-2021-30119", "CVE-2020-7387", "CVE-2020-7389", "CVE-2021-34527", "CVE-2021-30116", "CVE-2015-2862", "CVE-2021-30121", "CVE-2021-30120"], "modified": "2021-07-11T20:52:51", "id": "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "href": "http://feedproxy.google.com/~r/avleonov/~3/L83_6PGWaZs/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}