Multiple Unpatched Kaseya Unitrends Backup Vulnerabilities Disclosed

Description

FortiGuard Labs is aware of a public advisory released by the Dutch Institute for Vulnerability Disclosure (DIVD) that warns about multiple unpatched vulnerabilities in Kaseya Unitrends Backup products. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that can be deployed as a stand-alone solution or as an add-on for the Kaseya VSA platform. Reportedly, the unpatched vulnerabilities enable a mixture of remote code execution and authenticated privilege escalation on the client-side.

When were the Vulnerabilities Discovered?

According to the DIVD advisory, the vulnerabilities were discovered on July 2nd, 2021.

When was the Vendor Notified of the Vulnerabilities?

The DIVID advisory states the vendor was notified on July 3rd, 2021.

How Serious of an Issue is This?

MEDIUM/HIGH. Several public reports indicate that the vulnerabilities enable a mixture of remote code execution and authenticated privilege escalation on the client-side. Also, the vendor has not released applicable patches yet. According to BleepingComputer (who had a direct contact with Victor Gevers, one of the researchers who discovered the vulnerabilities), "the amount of vulnerable instances is low, but they have been found in sensitive industries".

Is the Vulnerabilities being Exploited in the Wild?

At the time of this writing, FortiGuard Labs is not aware of the vulnerabilities being exploited in the wild. FortiGuard Labs is monitoring the situation and will provide update when the situation changes.

Has the Vendor Released an Advisory?

No, the vendor has not released an advisory on the vulnerabilities.

Which Versions of Kaseya Unitrends Backup Products are Vulnerable?

Kaseya Unitrends backup product earlier than version 10.5.2 are vulnerable.

What is the Status of Coverage?

While the advisory is available to the public, details about the vulnerabilities details have not yet been disclosed. Because of that, FortiGuard Labs will update this Threat Signal with protection information once sufficient information becomes available.

Any Suggested Mitigation?

The DIVD advisory offers the following mitigation:

Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities.

Appendix

DIVD-2021-00014 - KASEYA UNITRENDS ((The Dutch Institute for Vulnerability Disclosure)

Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities (BleepingComputer)