Kaseya Community

Kaseya Virtual System Administrator (VSA) Local Privilege Escalation

  • This was released today:

    https://packetstormsecurity.com/files/146871/kaseyavsa-escalate.txt

    Check out the timeline (In particular 20.03.2018):

    Timeline:
    03.08.2017: Initial contact email sent to security@kaseya.com with
    information about the vulnerability.
    03.08.2017: Notification sent to vendor that CVE-2017-12410 has been
    assigned for this vulnerability by MITRE.
    05.08.2017: Vendor confirms receiving the information about the
    vulnerability and informs that the development team is looking
    into the issue.
    19.11.2017: No vendor response. Request for a status update.
    10.02.2018: No vendor response. Notifying vendor about the planned advisory
    release.
    11.02.2018: Vendor replies with information that the fix is ready, they are
    in the process of backporting it across a three versions of
    their code, testing it, releasing patches and rolling it out
    across their sass (sic!) versions. Vendor requests to postpone
    publication of the advisory for 30 days to ensure that patches
    are tested and ready for release.
    12.02.2018: Confirmation sent that the publication of the advisory will be
    postponed.
    12.02.2018: Vendor acknowledges and commits to provide a weekly updates as
    they progress to release.
    20.03.2018: No vendor response. Advisory published.
    23.03.2018: The advisory is released.


    So are we patched, or not?
  • Yeah I saw this posted to patchmanagement.org over the weekend. I noted it says 'Kaseya AgentMon.exe <= 9.3.0.11 - Local Privilege Escalation'

    If it genuinely only affects agent versions 9.3.0.11 and lower I doubt too many customers would still be affected as the agent was updated to 9.3.0.12 in December 2016..

    It would be great to get an official response from Kaseya on this.

  •  As the only actual employee of Kaseya I've seen active on here in a while... Can you get some kind of official statement for us on this?

  • Hey all,

    Here to provide some clarification on this.

    A Time of Check & Time of Use ( CVE-2017-12410 ) flaw exists within the VSA agent on the endpoint where a user can take advantage of a race condition, which could result in executing code with system privileges.

    The likelihood of practical exploit is low.  This flaw cannot be executed remotely and requires that an attacker has already compromised the underlying machine gaining local control of the endpoint with the ability to execute their own code.  

    This issue was resolved prior to the release of R9.5 and does not impact VSA SaaS instances (SaaS instances are already running, 9.5).

    For customers running 9.4, Kaseya has released patch 9.4.0.37 which includes a fix for this issue.  For on-premises customers running versions earlier than 9.4, it is recommended to update to 9.4.0.37 or 9.5.

    Feel free to reach out if you have any questions.

    Thanks,

    Steven



    typo
    [edited by: steven.simmons at 6:30 PM (GMT -7) on Apr 3, 2018]
  • Phew, it took 6 months from the initial report to having a fix - that sounds just a little slow, doesn't it? And that seems only to be the result of them asking about progress.... And then it took another 7 weeks to get it released for 9.4.