Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent

id: CVE-2021-30116

info:
  name: Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
  author: daffainfo
  severity: critical
  description: |
    Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
  impact: |
    Unauthenticated attackers can obtain Agent_Guid and AgentPassword credentials via the download page, gaining authenticated access to execute further attacks against Kaseya VSA.
  remediation: |
    Update to version 9.5.7 or later to remediate this vulnerability.
  reference:
    - https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
    - https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
    - https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
    - https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-30116
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2021-30116
    epss-score: 0.54074
    epss-percentile: 0.98057
    cwe-id: CWE-522
    cpe: cpe:2.3:a:kaseya:virtual_system_administrator:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: kaseya
    product: virtual_system_administrator
    shodan-query: http.favicon.hash:-1445519482
  tags: cve,cve2021,kaseya,virtual_system_administrator,kev,vkev,vuln

flow: |
  http(1)
  for (let mkdefault_id of iterate(template.id)) {
    set("mkdefault_id", mkdefault_id)
    http(2)
  }

http:
  - method: GET
    path:
      - "{{BaseURL}}/dl.asp"

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, '<title>Download Agent</title>', 'mkDefault.asp?id=')"
          - "status_code == 200"
        condition: and
        internal: true

    extractors:
      - type: regex
        name: id
        group: 1
        internal: true
        regex:
          - 'mkDefault\.asp\?id=([0-9-]+)'

  - method: GET
    path:
      - "{{BaseURL}}/mkDefault.asp?id={{mkdefault_id}}"

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - "Location: /install/VSA-default-([0-9-]+)/KcsSetup\\.exe"

      - type: status
        status:
          - 302
# digest: 4a0a0047304502206842a8ebab2bcd585d577bb2305b0a84a155fa8bf0ceb122ac0e15b0e00feae7022100e56543fa49c996b2b0679b397f5c71621e269fa78e1100b55cf7a137f87baeb8:922c64590222798bb761d5b6d8e72950