The Dutch Vulnerability Disclosure Institute (DIVD) said it identified three 0-day vulnerabilities in the Kaseya Unitrends backup product.
Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution offered as a standalone product or as an add-on to the Kaseya VSA platform.DIVD chairman Victor Gevers told Bleeping Computer that 68 government CERTs had reported these issues, but one recipient uploaded the data to an analytics web platform where it was made available to anyone who had access to the service.
As a result, DIVD representatives decided to publicly report bugs found in Kaseya Unitrends (in versions up to 10.5.2).
The unpatched vulnerabilities relate to remote code execution (after authentication), privilege escalation (after authentication), and remote code execution (no authentication) on the client side. Now researchers warn that it is better to temporarily isolate the service and clients (especially those working on the default ports 80, 443, 1743, 1745) from the Internet.
Fortunately, these problems are much more difficult to exploit than the RCE vulnerability in Kaseya VSA, which was recently exploited by the REvil ransomware operators.
The point is that in the case of Kaseya Unitrends, an attacker would need to hijack or create a valid user account in order to remotely execute code or escalate privileges. To use unauthenticated RCE in the client, you will have to penetrate the company’s network in advance.
Gevers says the number of vulnerable Kaseya Unitrends installations available online is small, but they have been found in critical industries.
Let me remind you that we also reported that The Kaseya company has a decryptor for the REvil ransomware.