Following the recent REvil ransomware attack on Kaseya’s systems, this Sunday, the popular software vendor released critical security updates in order to patch the security flaws in their Virtual System Administrator (VSA) solution. As per the reports, the VSA served as a bridge to target nearly 1500 businesses all around the world.
When the incident happened, the Florida-based company immediately asked its on-premise VSA clients to shut down their servers until a fix was released. Now, nearly two weeks after that, Kaseya has come up with the VSA 9.5.7a (18.104.22.16894) version, which provides security patches for three critical vulnerabilities:
- CVE-2021-30116 – Credentials leak and business logic issue.
- CVE-2021-30119 – Cross-site scripting vulnerability.
- CVE-2021-30120 – Two-factor authentication bypass.
Aside from the three vulnerabilities listed above, the new VSA 9.5.7a (22.214.171.12494) version also comes with a patch for a vulnerability that exposed weak password hashes to brute-force attacks, as well as another flaw that may have allowed the illegal transfer of files to the VSA server.
Kaseya’s customers should note that installing the patch will require all VSA users to mandatorily change their passwords after logging in. The company is also informing that the new version is coming with some functional defects that will be addressed in the future and some functions have been replaced with improved alternatives.
To further increase security, Kaseya recommends not only getting the latest version, but also blocking incoming port 443 on your internet firewall to prevent malicious attacks targeting the VSA Web GUI.
According to Kaseya’s advisory, service restoration work is going on schedule, with the company’s SaaS customers coming live, and the remainder of the customers’ servers being brought online as per the plan.
Ransomware affiliates have previously exploited Kaseya’s products to launch attacks, and this incident marks the third time such an attack is happening. You can read more details about the latest incident here.