A recent vulnerability called "POODLE" (Padding Oracle On Downgraded Legacy Encryption) was published (CVE-2014-3566) describing how an attacker could exploit a weakness in the SSLv3 protocol. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to any vendor or product. Kaseya products implements TLS v1.2, TLS v1.1, TLS v1.0 and SSLv3, and thus, is affected. Kaseya is not aware of attacks that use the reported vulnerability at this time and given the complexity of the attack scenario, the current risk of exploitation is not considered high.
Please see the following links for publicly disclosed details on the vulnerability:
The generally accepted industry remediation for this vulnerability is to remove SSLv3 support from web servers. The vast majority of clients no longer require SSLv3. However, some legacy web browsers that only support SSLv3, such as Windows XP running IE6, will no longer be able to communicate with Kaseya products (or any website that disables SSLv3 to resolve this vulnerability).
Kaseya has reviewed our product offerings in relation to the vulnerability as follows:
Kaseya Virtual Systems Administrator (VSA)
VSA SaaS Environment:
The Kaseya VSA SaaS environment has been patched to resolve the POODLE SSLv3 Vulnerability (CVE-2014-2566).
VSA On-Premises Installations:
Version 7 - Patch 188.8.131.52 has been released to resolve this vulnerability. See the release notes at: http://help.kaseya.com/webhelp/EN/RN/index.asp#30797.htm
Version R8 - Patch 184.108.40.206 has been released to resolve this vulnerability. See the release notes at: http://help.kaseya.com/webhelp/EN/RN/index.asp#30795.htm
Version 6.5.x and earlier - If SSL was used for these releases, the SSL Protocol support was provided by the Windows Operating System. To disable SSLv3 on Windows, Microsoft has provided an advisory in regards to this which you can read on TechNet here or follow the instructions below:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
Note: If this value is present, double-click the value to edit its current value.
- Type 00000000 in Binary Editor to set the value of the new key equal to "0".
- Click OK. Restart the computer.
Kaseya - Scorpion Software AuthAnvil
Please click here to read advisory.
For on-premises customers running Traverse Version 5.6 or 7.0, an update to resolve this vulnerability can be downloaded (select the appropriate package for the BVE, DGE and/or DGE extensions) from the links below. To install, stop all running Traverse Services and run the installer to complete the upgrade.
Version 5.6 - Download here
For SaaS Traverse customers, we will be upgrading our environment shortly and will update this site as soon as the schedule is finalized.
The 365 Command environment has been updated to to resolve the POODLE SSLv3 Vulnerability (CVE-2014-2566).
Kaseya BYOD Suite
All relay and provisioning environments have been updated to resolve the POODLE SSLv3 Vulnerability (CVE-2014-2566).
Kaseya is investigating the Gateway component and will update this site when the review is complete.
Kaseya KNM Standalone
An update has been released to resolve the POODLE SSLv3 Vulnerability (CVE-2014-2566). It can be downloaded at the following link: http://download.kaseya.com/components/knm/knmsetup.exe