Follow

Kaseya Security Advisory

This advisory covers three separate vulnerabilities as follows:

Remote Privilege Escalation Vulnerability

CVE Identifier – CVE-2015-6922

Description:
A vulnerability exists which could enable a remote attacker to send a specially crafted message to bypass authentication and gain administrative access to the Virtual Systems Administrator (VSA) product. Gaining administrative access would provide the attacker with access to machines that are being managed by the VSA.

Severity and Impact:
Critical, Escalation of Privilege

Affected Products/Versions:
VSA Version 7.0.0.0 – 7.0.0.32
VSA Version 8.0.0.0 – 8.0.0.22
VSA Version 9.0.0.0 – 9.0.0.18
VSA Version 9.1.0.0 – 9.1.0.8
*Earlier versions are not affected

Solution:
For Kaseya SaaS customers, no action is required, our SaaS instances have been patched.

For On-Premises Customers apply the following patches:
V7 – Install patch 7.0.0.33
R8 – Install patch 8.0.0.23
R9 – Install patch 9.0.0.19
R9.1 – Install patch 9.1.0.9

Authenticated Remote File Upload Remote Code Execution Vulnerability

CVE Identifier – CVE-2015-6589

Description:
A vulnerability exists which could enable an authenticated VSA user to upload and execute potentially malicious code on the VSA server.

Severity and Impact:
Critical, Remote Code Execution

Affected Products/Versions:
VSA Version 7.0.0.0 – 7.0.0.32
VSA Version 8.0.0.0 – 8.0.0.22
VSA Version 9.0.0.0 – 9.0.0.18
VSA Version 9.1.0.0 – 9.1.0.8
*Earlier versions are not affected

Solution:
For Kaseya SaaS customers, no action is required, our SaaS instances have been patched.

For On-Premises Customers apply the following patches:
V7 – Install patch 7.0.0.33
R8 – Install patch 8.0.0.23
R9 – Install patch 9.0.0.19
R9.1 – Install patch 9.1.0.9

Remote File Upload Remote Code Execution Vulnerability

CVE Identifier – CVE-2015-6922

Description:
A vulnerability exists which could enable an unauthenticated attacker to upload and execute potentially malicious code on the VSA server.

Severity and Impact:
Critical, Remote Code Execution

Affected Products/Versions:
VSA Version 7.0.0.0 – 7.0.0.32
VSA Version 8.0.0.0 – 8.0.0.22
VSA Version 9.0.0.0 – 9.0.0.18
VSA Version 9.1.0.0 – 9.1.0.8
*Earlier versions are not affected

Solution:
For Kaseya SaaS customers, no action is required, our SaaS instances have been patched.

For On-Premises Customers apply the following patches:
V7 – Install patch 7.0.0.33
R8 – Install patch 8.0.0.23
R9 – Install patch 9.0.0.19
R9.1 – Install patch 9.1.0.9

 

Kaseya would like to thank Pedro Ribeiro / Agile Information Security working with HP's Zero Day Initiative for the discovery and cooperation during this vulnerability disclosure process.

Was this article helpful?
6 out of 6 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.