Kaseya Community

Kiwicon Exploit...

  • Kaseya was alerted to a security vulnerability through a presentation at New Zealand's hacker conference, Kiwicon 6, this past weekend. Details of the attack were not disclosed but a demonstration of the attack was shown. Kaseya has tried contacting the presenter, who goes by "Cartel", but have not received any response as yet. 

    However, Kaseya has successfully reproduced the attack and will release a hotfix to all customers today.

    Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system. We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two as is the case here.

  • Hi Brendan

    Good to see that you (Kaseya) are being open and honest about this.  Would it be possible to update this post when the patch becomes available so that those of us who manually update our Kaseya servers can address this issue promptly.

    Thanks

    Alistair

  • Brendan, any update on the timing of the pending hotfix? I haven't seen anything since the original promise of something being released yesterday afternoon.

    Jim

  • It was fixed with HotFix 2690, released yesterday.

  • Thanks Alistair.  We take security VERY seriously here.  The hotfix Max mentioned was posted yesterday afternoon PST.

  • Whilst checking my servers Hotfix History, I notice that my applied hotfixes jump from 2689 to 2691 thus skipping 2690.

    I have no pending hotfixes.

    Any idea when this will be released?

  • Was this issue also related to On Premises installations,  or is this hotfix just applicable for SaaS ?

    I have the same issue as Joshua,  no hotfix 2690, but 2689 and 2691-96

  • Same here. Please advise

  • I think it is installed as a forced update.

    When accessing the Pending Hotfixes screen there would have been this message - vsa hotfix v6020000-2690 KServer.exe applied. kserver.exe restarted.

  • Alistair Curran

    I think it is installed as a forced update.

    When accessing the Pending Hotfixes screen there would have been this message - vsa hotfix v6020000-2690 KServer.exe applied. kserver.exe restarted.

    YES, that's right:

  • Kserver version.JPG

    Ok found it :  thx !!

  • Thanks got it.

    Interesting that it doesn't appear in the regular Hotfix History though?

  • On the System tab -> Configure page, your v6.2 system has the hotfix if the KServer is at least version 6.2.0.39.

  • Haha, I know Cartel I have worked with him a few years back. Shows you how important it actually is to not have your Kaseya server open to the world.

    If you have locked your Kaseya server down and/or your are using two factor auth this guy could create admin accounts until the cows came home and will still not be able login to your Kaseya server unless he had access to your internal LAN.

    Now if he had serious skills he could have made it add a Kaseya script that could do a DoS attack via the agents or mass delete system files on the endpoints.

    ----www.scmagazine.com.au/.../323288,researcher-owns-blue-chip-managed-service-platforms.aspx----

    In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent. This was accepted by the MSP due to a vulnerability in which it failed to properly validate its database.

    "The way we inject our code is by modifying the registry key," he said to laughs from the audience followed by applause as a new admin hacker@hacker.com was successfully uploaded

    “It's a SaaS (Software-as-a-Service) model, so you'll be able to get plenty of shells."

    ----



    [edited by: HardKnoX at 2:11 PM (GMT -8) on Nov 25, 2012] typo
  • Yeah, it's a very scary scenario. I would like to see that *properly* fixed. I mean, a sql injection in the code that handles registry keys shouldn't be able to mess with the administrators table.

    Use a dedicated sql user, service, whatever you want, but please don't allow that!