With Unitrend Backup Appliances, Kaseya offers security solutions especially for larger organizations or managed service providers. With updated software, the manufacturer closes security gaps that could have allowed attackers to smuggle in and execute malicious code. Administrators should apply the updates immediately.
Version 10.5.5 closes a total of twelve security holes; According to Kaseya, versions 10.0.x-10.5.4 are affected. The first of two critical loopholes was torn by the Unitrend backup appliance service bpserverd. Several functions in it passed untrustworthy input to system calls. Attackers could have executed arbitrary code as root (CVE-2021-43033, CVSS 9.8).
The second critical vulnerability is an SQL injection vulnerability that attackers could misuse without authentication in order to execute arbitrary SQL queries – in the context of the PostgreSQL super user account. This made it possible to execute smuggled code with the rights of the PostgreSQL user (CVE-2021-43035, CVSS 9.8).
Other security holes
Seven further gaps with a severity of “high” and three with a weighting of “medium risk” describes Kaseya in his security bulletin. This includes, for example, a buffer overflow in the vault server that a remote, unauthenticated attacker could misuse to smuggle in and execute malicious code (CVE-2021-43042, “high”). In addition, the old software used weak passwords for preconfigured accounts such as wguest (CVE-2021-43036, “high”). Another possibility of injecting PostgreSQL trigger commands into the wguest-Kontext expand to PostgreSQL super-user (CVE-2021-43038, “high”).
In addition, the Unitrend Windows Agent was susceptible to so-called DLL injection and so-called binary planting (i.e. the insertion of third-party codes) due to insecure standard authorizations. This allowed users to extend their rights up to the SYSTEM level (CVE-2021-43037, “high”). Details on the other gaps can be found in the manufacturer’s security notification. Kaseya recommends that users import the updated software packages immediately and also bring the agents on the clients up to date.
The company hit the headlines in the middle of the year for a so-called supply chain attack. The background article Kaseya VSA: How the supply chain attacks worked and what they mean for us provides interesting details.
(dmk)
