Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities

Kaseya

Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet.

Kaseya Unitrendss is a cloud-based enterprise backup and disaster recovery solution that is offered as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

Last week, the Dutch Institute for Vulnerability Disclosure (DIVD) issued a TLP:AMBER advisory about three unpatched vulnerabilities in the Kaseya Unitrendss backup product.

While DIVD released this advisory under the TLP:AMBER designation, DIVD Chairman Victor Gevers told BleepingComputer that it was originally shared with 68 government CERTs under a coordinated disclosure.

However, one of the recipients uploaded it to an online analyzing platform, where it became public to those with access to the service.

“Two days later, an Information Sharing and Analysis Center alerted us that one of the GovCERTs had forwarded the email to an organization’s service desk operating in the Financial Services in that country,” Gevers told BleepingComputer.

“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.”

The Kaseya Unitrends vulnerabilities

Yesterday, DIVD released a public advisory warning that zero-day vulnerabilities have been discovered in Kaseya Unitrendss versions earlier than 10.5.2 and to not expose the service to the Internet.

“Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities,” reads DIVD’s advisory.

The vulnerabilities affecting the Kaseya Unitrendss backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side.

Unlike the Kaseya VSA zero-days used as part of the July 2nd REvil ransomware attack, these vulnerabilities are more difficult to exploit.

This is because a threat actor would need a valid user to perform remote code execution or privilege escalation on the publicly exposed Kaseya Unitrends service. Furthermore, threat actors would already need to have breached a customer network to exploit the unauthenticated client RCE.

DIVD discovered the vulnerabilities on July 2nd, 2021, and disclosed them to Kaseya on July 3rd. On July 14th, DIVD began scanning the Internet for exposed Kaseya Unitrends instances to identify vulnerable systems.

DIVD will attempt to inform owners of vulnerable systems to get them offline until a patch is released.

Gevers told BleepingComputer that the amount of vulnerable instances is low, but they have been found in sensitive industries.

BleepingComputer contacted Kaseya to learn when the patch will be released but has not heard back at this time.