CVE-2021-30116

Name of the Vulnerable Software and Affected Versions Kaseya VSA versions prior to 9.5.7

Description The issue concerns a credential disclosure problem in Kaseya VSA, which was exploited in the wild in July 2021. By default, Kaseya VSA on-premise offers a download page at the URL https://x.x.x.x/dl.asp, where clients for installation can be downloaded. When an attacker downloads a client for Windows and installs it, a file named KaseyaD.ini is generated, containing an Agent Guid and AgentPassword. These credentials can be used to log in on dl.asp and obtain a sessionId cookie, which can be used in subsequent attacks to bypass authentication. The vulnerability allows an attacker to penetrate the Kaseya installation and its clients. Approximately 1,500 devices were impacted by this issue.

Recommendations For versions prior to 9.5.7, update to version 9.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the dl.asp page to minimize the risk of exploitation. Avoid using the Agent Guid and AgentPassword credentials in the affected API endpoint until the issue is resolved. Restrict access to the KaseyaD.ini file to prevent attackers from obtaining sensitive information.