Kaseya VSA services coming online after week-long outage

by Joseph K. Clark

The vast majority of users running the software-as-a-service (SaaS) version of Kaseya’s VSA endpoint and network management product should by now have had their services restored as the company recovers from a 2 July REvil ransomware attack.

Kaseya released a patch for the vulnerabilities exploited by REvil to its on-premise customers slightly ahead of schedule on the afternoon of Sunday, 11 July, and began the process of deploying to its SaaS infrastructure.

week-long outage

As of early on the morning of Monday 12 July, said Kaseya, the process was well in hand. In a statement, the company said: “The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours. Our support teams are working with VSA On-Premises customers who have requested assistance with the patch.”

The patch, VSA 9.5.7. a release fixes three disclosed common vulnerabilities and exposures (CVEs). These are CVE-2021-30116, a credential leakage and business logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a two-factor authentication bypass.

It also fixes three separate issues, one where the secure flag was not used for user portal session cookies; one where specific API responses would contain a password hash that could potentially expose weak passwords to a brute force attack; and one that could have allowed the unauthorized upload of files to the VSA server.

A full breakdown of the patch, including additional instructions for on-premises users, more details of changes to authentication policy, agent packages and procedures, and some features that must remain temporarily unavailable pending further attention, can be found here.

Analysts at Huntress have confirmed that the proof-of-concept exploit fails on the application of the patch, and thus the attack vector appears to have been eliminated. However, for some users of the on-premise servers, there may still be some concerns that their powered-off systems may still have pending jobs queued to ransom more endpoints once they are back online. Users should therefore be sure to clear these out.

Feature upgrades

Meanwhile, as Kaseya begins moving forward, the company faces allegations from former staffers that it had invited trouble by prioritizing product and feature upgrades over cyber security.

According to Bloomberg, who spoke to some of the disaffected employees, some apparently quit out of frustration. At the same time, another who supposedly provided the company’s leadership with a 40-page memo detailing problems with VSA says that they were fired a fortnight later.

Among the allegations are claimed Kaseya was using outdated code, failing to implement proper encryption, and not routinely patching its products. The employees also said that the REvil attack was not the first time Kaseya products had been exploited by ransomware gangs.

In a statement provided to Gizmodo, Kaseya said it was focused on its investigation and assisting customers affected by the attack, not on “random speculation”.

Related Posts

Leave a Comment