In the previous week, we published an article in which we have reported about Kaseya’s supply chain attack, which was discovered early this month. Now, almost ten days later, on 11th July, Kaseys has released a patch for VSA supply-chain attack. The Florida-based software company has fixed three new security vulnerabilities in the released patch to address critical security issues in its Virtual System Administrator (VSA) solution. With this update, the company has fixed a total of seven vulnerabilities, including the three new vulnerabilities. Let’s see the changes Kaseya has made in the VSA release 9.5.7a.
Three new vulnerabilities fixed in the 11th July updates:
- CVE-2021–30116: Credentials leak and business logic flaw (Fixed in VSA 9.5.7a)
- CVE-2021–30119: Cross-site scripting vulnerability (Fixed in VSA 9.5.7a)
- CVE-2021–30120: Two-factor authentication bypass (Fixed in VSA 9.5.7a)
Remaining four vulnerabilities reported by DIVD in April 2021:
- CVE-2021–30117: SQL injection vulnerability (Fixed in VSA 9.5.6)
- CVE-2021–30118: Remote code execution vulnerability (Fixed in VSA 9.5.5)
- CVE-2021–30121: Local file inclusion vulnerability (Fixed in VSA 9.5.6)
- CVE-2021–30201: XML external entity vulnerability (Fixed in VSA 9.5.6)
New password policy rolled out in the release:
In the recently released patch VSA version 9.5.7a (184.108.40.20694), Kaseya has made password rest mandatory. Those who install the new patch should change their passwords post login to meet new password requirements.All users will be re-directed to the System > User Settings > Change Logon page, after installing the patch. There they need to change their password.
The update shipped with these changes in the password policy:
- Password can’t be older than 30 days.
- The minimum password length cannot be less than 16 characters.
- Password reuse cannot be less than five passwords.
- The System now enforces all the rules.
Agent Procedures Approvals:
The VSA release 9.5.7a release has made all the changes on the agent procedures that must be approved by a master administrator. It is not possible to disable Agent Procedure signing and approval anymore.
Disabled a few REST API:
In the new release, some API calls have been disabled temporarily to enhance security. All the disabled API calls will be restored in a later release.
Changes in agent package download:
After the release of 9.5.7a, It is impossible to download an agent installation package without authentication to VSA anymore. The ability to deploy agents to external users will be restored in a future release.
Readiness and best practice guide available for both on-premise and SaaS VSA:
The company has published the readiness guide and best practice guide for the customers to read before they proceed with patching the VSA Supply-Chain Attack.
Thanks for reading the post. Please share this information and help securing the digital world.
Originally published at https://thesecmaster.com on July 12, 2021.