Kaseya VSA services coming online after week-long outage

by Joseph K. Clark

The vast majority of users running the software-as-a-service (SaaS) version of Kaseya’s VSA endpoint and network management product should by now have had their services restored as the company recovers from a 2 July REvil ransomware attack. Kaseya released a patch for the vulnerabilities exploited by REvil to its on-premise customers slightly ahead of schedule on the afternoon of Sunday, 11 July, and began deploying to its SaaS infrastructure.

As of early on the morning of Monday, 12 July, said Kaseya, the process was well in hand. In a statement, the company said: “The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours. Our support teams are working with VSA On-Premises customers who have requested assistance with the patch.”

The patch, VSA 9.5.7. a release fixes three disclosed common vulnerabilities and exposures (CVEs). These are CVE-2021-30116, a credential leakage and business logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a two-factor authentication bypass.

It also fixes three separate issues, one where the secure flag was not used for user portal session cookies, one where specific API responses would contain a password hash that could potentially expose weak passwords to a brute force attack and one that could have allowed the unauthorized upload of files to the VSA server.

A full breakdown of the patch, including additional instructions for on-premises users, more details of changes to authentication policy, agent packages and procedures, and some features that must remain temporarily unavailable pending further attention, can be found here.

Kaseya VSA

Analysts at Huntress have confirmed that the proof-of-concept exploit fails on the patch application, and thus the attack vector appears to have been eliminated. However, some users of the on-premise servers may still be concerned that their powered-off systems may still have pending jobs queued to ransom more endpoints once they are back online. Users should therefore be sure to clear these out.

Feature upgrades

Meanwhile, as Kaseya begins moving forward, the company faces allegations from former staffers that it had invited trouble by prioritizing product and feature upgrades over cyber security.

According to Bloomberg, who spoke to disaffected employees, some quit out of frustration. At the same time, another who supposedly provided the company’s leadership with a 40-page memo detailing problems with VSA says that they were fired a fortnight later.

Among the allegations are claimed Kaseya was using outdated code, failing to implement proper encryption, and not routinely patching its products. The employees also said that the REvil attack was not ransomware gangs had exploited the first time Kaseya products.

In a statement provided to Gizmodo, Kaseya said it was focused on its investigation and assisting customers affected by the attack, not on “random speculation”.

Related Posts