Threat Signal Report

Multiple Unpatched Kaseya Unitrends Backup Vulnerabilities Disclosed

description-logo Description

FortiGuard Labs is aware of a public advisory released by the Dutch Institute for Vulnerability Disclosure (DIVD) that warns about multiple unpatched vulnerabilities in Kaseya Unitrends Backup products. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that can be deployed as a stand-alone solution or as an add-on for the Kaseya VSA platform. Reportedly, the unpatched vulnerabilities enable a mixture of remote code execution and authenticated privilege escalation on the client-side.


When were the Vulnerabilities Discovered?

According to the DIVD advisory, the vulnerabilities were discovered on July 2nd, 2021.


When was the Vendor Notified of the Vulnerabilities?

The DIVID advisory states the vendor was notified on July 3rd, 2021.


How Serious of an Issue is This?

MEDIUM/HIGH. Several public reports indicate that the vulnerabilities enable a mixture of remote code execution and authenticated privilege escalation on the client-side. Also, the vendor has not released applicable patches yet. According to BleepingComputer (who had a direct contact with Victor Gevers, one of the researchers who discovered the vulnerabilities), "the amount of vulnerable instances is low, but they have been found in sensitive industries".


Is the Vulnerabilities being Exploited in the Wild?

At the time of this writing, FortiGuard Labs is not aware of the vulnerabilities being exploited in the wild. FortiGuard Labs is monitoring the situation and will provide update when the situation changes.


Has the Vendor Released an Advisory?

No, the vendor has not released an advisory on the vulnerabilities.


Which Versions of Kaseya Unitrends Backup Products are Vulnerable?

Kaseya Unitrends backup product earlier than version 10.5.2 are vulnerable.


What is the Status of Coverage?

While the advisory is available to the public, details about the vulnerabilities details have not yet been disclosed. Because of that, FortiGuard Labs will update this Threat Signal with protection information once sufficient information becomes available.


Any Suggested Mitigation?

The DIVD advisory offers the following mitigation:

Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities.

Appendix

DIVD-2021-00014 - KASEYA UNITRENDS ((The Dutch Institute for Vulnerability Disclosure)

Researchers warn of unpatched Kaseya Unitrends backup vulnerabilities (BleepingComputer)



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.