Important Information Regarding Patch Installation for On Premise customers
Once you have installed the patch, please download and run the validation tool located here. This tool will validate whether the latest patch was properly applied and report the results. The report should indicate that the patch was successfully applied.
Also, if you have already installed the patch, and subsequently performed a re-installation, please run the validation tool located here. If the tool does not report a successful patch, be sure to follow the steps below and immediately perform an additional patch installation.Note that once the 9.5.7a patch has been installed, if there is any need to perform a re-installation, it is important that you pay attention to the following five steps when running the installer (this also pertains if an installation attempt was disrupted):
- Download and run the installer.
At “Kaseya VSA Install Options” be sure to select the FIRST option “Install addons only. Do not upgrade VSA.”
When reviewing the itemized list of modules, be certain that the 9.5.7 Kaseya Patch Process is SELECTED – even if you have already installed the patch previously.
- Also, you may be required to select modules listed in the release notes as being disabled, this is okay as the patch process will make the required changes to remove them.
- At this point, you can proceed through the installation.
The VSA 9.5.7a (188.8.131.5294) release includes enhancements and fixes described in the topics below. For minimum system and agent requirements, see these topics in the Kaseya R95 System Requirements Guide: Kaseya Server Minimum Requirements & Configuration and Agent Minimum Requirements.
Critical Security Updates & Information
- Please follow the instructions in the “On-Premises VSA Startup Readiness Guide” referenced here, PRIOR TO deploying the VSA 9.5.7a Release
- Please review the VSA On-Premises Hardening and Best Practice Guide referenced here, PRIOR TO deploying the VSA 9.5.7a Release
- Please follow the instructions in the “VSA SaaS Startup Guide” referenced here, once your SaaS instance is available after the VSA 9.5.7a Release has been applied.
- Please review the VSA SaaS Security Best Practices Guide referenced here, once your SaaS instance is available.
Fixed security vulnerabilities related to the incident referenced here and made other updates to improve the overall security of the product.
Following is a detailed list of vulnerability reference disclosures addressed in this release:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where the secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server.
Following is a list of recently disclosed vulnerabilities that were fixed in previous VSA Releases:
Fixed in VSA 9.5.5:
- Remote Code Execution vulnerability: CVE-2021-30118
- Fixed in VSA 9.5.6:
***THIS RELEASE WILL FORCE ALL USERS TO CHANGE THEIR PASSWORD UPON LOGIN.***
After installing this patch, all users will be re-directed to the System > User Settings > Change Logon page, where they will be required to change their password. The page has been updated with the new password requirements.
All VSA users must use a strong password. The following changes have been made to System > Server Management > Logon Policy:
- Require password change cannot be more than 30 days
- Enforce minimum password length cannot be less than 16 characters
- Prohibit password reuse cannot be less than 5 passwords
- All complexity rules are now enforced by the system
It is no longer possible to download an agent installation package without authentication to VSA. This will impact some legitimate use cases where an agent is deployed to end-users by providing a download link, such as when using Live Connect on-Demand to provide ad-hoc remote support. The ability to deploy agents to legitimate external users will be restored in a future release. More details will be available in the near future.
It is no longer possible to disable Agent Procedure signing and approval. All agent procedures created or edited by a user who is not in Master or System role must now be approved by a second user. For further detail, please refer to the help topic linked here.
VSA REST API
In VSA release 9.5.7a, some API endpoints have been temporarily disabled. Out of an abundance of caution, these API calls are being redesigned for the highest level of security. Individual functions will be restored in later releases this year.
Migrations and Temporary Unavailability of some Functionality
We have advanced the release of some new capabilities in VSA. The corresponding legacy VSA functionality has been removed from this release to improve the usability and security of the platform.
User Portal and Portal Access
The User Portal page, previously accessible using the Contact Administrator from Agent system tray icon, has been removed from the product but will be replaced in a future release. Additionally, machine-based accounts created from Agent > Configure Agents > Portal Access accounts will no longer be able to log into VSA.
The ability for end-users to submit tickets directly from an endpoint, and to remote control the endpoint from another location, is temporarily unavailable and will be restored in a future release.
We will provide a short-term solution for end-users to access alternate portals for either BMS and VSA Service Desk in a subsequent release. More details will be available via a KB article in the near future.
For the immediate term, end-users should submit tickets directly from email, or by using the BMS User Portal, or Service Desk Login through the main VSA interface.
This module has been replaced with an advanced ticketing capability that is derived from the ticketing and service desk function within our BMS product. This was planned for later in 2021, but we are releasing it early as part of this security-focused update.
The Classic Ticketing capabilities are removed from the product, except for these functions: -
- Migrate Tickets – this can be used to migrate tickets to a Service Desk. For more information, please review the help topic.
- Email Reader – allows access to configuration and log. Email reader will be disabled on the installation of the patch to prevent any further tickets from being read into the system.
All existing ticket data will be retained in the database.
To initiate the process of enabling the VSA NextGen Ticketing module, you can submit a request either through our portal at helpdesk.kaseya.com or via email at firstname.lastname@example.org. Please include in the subject line “Kaseya Classic Ticketing Migration”. If you are also using Service Billing and/or Time Tracking – please include that in the body of the email as well.
Customers should migrate to the most current version of Remote Control. All past-generation remote control connection types have been removed from the product. All functions have been removed from the Remote Control tab, except for the following, which will remain:
- Reset Password
- User Role Policy
- Machine Role Policy
On the System > Server Management > Default Settings page, the “Use new Live Connect when clicking the Live Connect button in Quickview” option has been set to Yes and cannot be changed.
All remote control sessions started from the agent status icon or Quickview will now use the latest generation of Remote Control functionality in Live Connect.
Live Connect (classic)
Customers should migrate to the most current version of LiveConnect. The past-generation “classic” (browser plug-in-based) version of Live Connect has been removed from the product.
On the System > Server Management > Default Settings page, the “Replace KRC with RC in KLC to allow you to enforce all screen sessions getting recorded” option has been set to Yes and cannot be changed.
All Live Connect sessions will now use the latest generation of the Live Connect application.
Desktop Management (KDPM)
This module’s primary use case was enabling migration from Windows XP to Windows 7. This use case is no longer relevant and the module has been removed from the product.
The following duplicative function has been removed from the product: -
- Distribute File
More comprehensive, secure, and capable options for this functionality are available in the current release of VSA. A video demonstrating how to perform this task with currently available capabilities will be available in a future KB article.
Some past-generation dashboard functionality has been removed:
The Info Center > Dashboard > Management Dashboard page has a more modern dashboard.
Mobility (EMM and MDM)
These modules have been removed from the product. They are being superseded by next-generation Mobile Device Management capabilities which are planned for a future release.
All customer data has been retained.
This module has been replaced as part of the advanced next-generation VSA NextGen Ticketing capability that is derived from the ticketing and service desk function within our BMS product. This was planned for later in 2021, but we are releasing it early as part of this security-focused update.
Service Billing requires the new next-generation VSA NextGen Ticketing module to be enabled. To obtain it, you can submit a request either through our portal at helpdesk.kaseya.com or via email at email@example.com. Please include in the subject line “Kaseya Classic Ticketing Migration”. Please include in the body of the email that you are also using the Service Billing capability.
All customer data has been retained.
This module has been replaced as part of the advanced next-generation VSA NextGen Ticketing module that is derived from the ticketing and service desk function within our BMS product. This was planned for later in 2021, but we are releasing it early as part of this security-focused update. This module has been removed from the product, except for these functions: -
- Time Tracking > Timesheet History (Summary)
- Time Tracking > Timesheet History (Details)
Time tracking requires the new next-generation VSA NextGen Ticketing module to be enabled. To obtain it, you can submit a request either through our portal at helpdesk.kaseya.com or via email at firstname.lastname@example.org. Please include in the subject line “Kaseya Classic Ticketing Migration”. Please include in the body of the email that you are also using the Time Tracking capability.
All customer data has been retained.
VSA SOAP API
This has been replaced with a hardened REST API. A notice of deprecation was published in June 2020 and this capability was planned to be removed in November 2020.
Classic User Interface
A notice of deprecation was published in June 2019 and this capability was planned to be removed in August 2019. This has now been completed.
This release introduces some functional defects that will be corrected in a future release. They will be listed here prior to release.
The following pages do not display agent machines:
- Agent > Templates > Rename, Delete, Change Group and Set Credential
- Agent > Configure Agents > Check-in-Control – page displays some HTML elements and a Whoops error.
- Error with importing procedures through Agent Procedure > Manage Procedures > Schedule/Create page - “The file to import could not be located and there is no text to import”.
The following pages fail to load:
Agent Procedures >Manage Procedures > Distribution
- Agent Procedures > Installer Wizards > Patch Deploy
- Agent Procedures > Installer Wizards > Application Deploy
- Agent Procedure > File Transfer > Get File
- Agent Procedures >Manage Procedures > Distribution
- Audit > View Individual Data > Machine Summary - "Remote Control" tab still shows UI elements from deprecated Remote Control technology. This tab is no longer relevant and will be removed in a future release.
- All references to User Portal functionalities within the Discovery module will be removed, in a future release, as part of deprecating the Kaseya User Portal page.
- Quick View for a device on Discovery > Summary Discovered Devices page fails to load.
- When the “Record all shared remote control session” option is applied through User Role Policy, but not Machine Policy, screen recording is not initiated when starting RC session.
- The Service Desk > Desk Configuration > Desk Definition > Import functionality may fail to import the Template.
An error may appear while navigating from the Ticketing module in Live Connect.
- It may not be possible to add or view Service Desk tickets directly in Live Connect.
Remote Control: Disable End-user Peripherals
In this release, we added new functionality for a VSA admin to control certain end-user inputs so that the VSA admin can work on the remote device without disruption by an end-user. This is especially useful when working with devices where the VSA admin may not have direct contact with an end-user and needs to prevent the end-user from interacting with the device while the remote session is in progress.
Feature to lockout keyboard and mouse from being able to be used by End-User.
- A new toolbar item is added to Remote Control Windows ‘Block End-User Input’.
- The feature is currently limited to Windows (Implemented for Windows VSA Agent only).
- If the end-user clicks Control+Alt+Delete, the End-User will regain control automatically.
If ‘Block End-User Input’ is enabled and the remote session is closed, the End-User will regain control automatically.
- Removed menu Items from the Remote-Control toolbar if the feature is not supported for a given VSA Agent type (Eg: if a feature is not supported for macOS Agents we will not show the menu item for the feature).
End-User Input is not disabled
UI state (RC window) when Remote Control is initiated.
End-User Input is disabled
UI state (RC window) when we click on 'Block End-User Input.'
Remote Control window for a VSA macOS Agent (we do not display the menu icon for features that are not supported/implemented for the macOS Agent)
The ”Show Mouse” and ”Block End-User Input" features are not displayed for macOS as they are currently unsupported.
Live Connect: 1-Click Windows Security Enhancements
In this release 1-Click activity will now be audited such that when a technician acts on any of the prompts, the actions will be captured and available in the VSA Remote Control log.
During 1-Click sessions and Private Sessions, we present the following dialogue to allow for permanent or temporary configuration changes of RDP (Remote Desktop Protocol) and NLA. With this enhancement, the details of these changes are captured in the VSA Remote Control log:
NLA/RDP setting response dialogue.
There are three primary enhancements:
- VSA will log technician responses to the prompts presented in the Remote-Control Window along with information about what configuration changes will be made to the endpoint, if any.
- There are new fields in the Technician, Remote Control Log so that we can capture more information about File Transfer activities in the future.
- The type of authentication will be logged, whether Native 1-Click was used, or a specific credential from the integrated list of IT Glue credentials.
Change in File Transfer Logging
- Change in Remote Control Log Table
- Removed Activity column.
- The detail of the message column is changed from x Files/Folder (s) Transferred to x Events Recorded.
Figure 2: Old view of Remote-Control Log table
Figure 3: New View of Remote-Control Log table
- Change in Log Details table.
- Removed the columns: File/Folder Name, Direction of Transfer, Result columns from this UI.
- Added Event Type column. The value on this column can:
- File Transfer
- ConfigChange and
- Added Message column.
For File Transfer Event Type Message format:
- For File Transfer Event Type Message format:
<file name> was <Download/Uploaded> <Successfully/but failed>
AspNetSomething.exe was Downloaded Successfully.
Abc.exe was Uploaded but Failed.
For ConfigChange Event Type, Message Format:
- For ConfigChange Event Type, Message Format:
<vsa-admin-name> <Temporarily/Permanently> < Disabled/Enabled> <NLA/RDP>
Administrator Permanently Disabled NLA.
Administrator Temporarily Disabled NLA.
For 1-ClickLogin Event Type Message format:
- For 1-ClickLogin Event Type Message format:
Authentication was performed using <Native 1-Click/ IT GLUE <it-glue account name>>
Authentication was performed using Native 1-Click
Authentication was performed using IT GLUE Test_Account
Old view of Remote-Control Log Detail table
New view of Remote-Control Log Detail table
- We are happy to share that our support for 'Organizations' within the VSA data model will continue to grow. We know that this will give you the freedom you need to review environments the way you want. As a part of this direction, we've added an organization filter to both the Discovered Devices and Topology Map.
- In anticipation of some upcoming, exciting changes to the Discovery module we've moved the Topology Map to a more central location. It can now be found within Discovery > Summary > Topology Map.
- SNMP plays a large role in monitoring; you know it and so do we. In this spirit, we've enhanced our existing SNMP implementation to make it even more reliable so you can trust it to provide the visibility you need.
- In this release, we are introducing Personal Access Tokens for VSA Users. They are used to access specific VSA APIs. The first API to support such tokens is the Data Warehouse API. To create the new token, go to the System > User Security > Users, then select a user and choose the Tokens tab to manage tokens for a given user.
- Added a new data set called "Agent Procedure Logs including archived" which is the same as the existing "Agent Procedure Logs" data set, but includes archived log entries. This data set is useful for reports that need to include sub-steps older than 3 days.
- Data Warehouse API :
- A set of endpoints to query data from Info Center's Antivirus data sets.
- A set of endpoints to query data from Info Center's Anti-Malware datasets.
- A set of endpoints to query data from Info Center's Agent Procedures datasets.
- A set of endpoints to query data from Info Centre’s Service Desk datasets.
- A set of endpoints to query data from Info Centre’s Ticketing datasets.
- A set of endpoints to query data from Info Centre’s Discovery Data Sets.
- A set of endpoints to query data from Info Center's Software Management datasets.
- A set of endpoints to query data from Info Center's Monitoring datasets.
- A set of endpoints to query data from Info Center's Patch datasets.
Added additional free text search filters for Source Name, Description, and Event ID columns in the Event Log viewer. To activate the filter, enter the required text in the filter box and press Enter. In the example below, only events with ID containing “916” are displayed.
- When connecting to an endpoint with Private Remote Control or 1-click session, a VSA admin can now temporarily override GPO enforced Network Level Authentication (NLA) settings to facilitate the connection. The ability to permanently override will not be available. The configuration will be reverted to its original state at the end of the session.
Auth Anvil (Passly) Integration
- Fixed an issue where the Configure Auth Anvil Settings page displayed an error after applying the initial setup.
- Fixed an issue where discovered machines/assets in the VSA were not pulling into BMS.
- Fixed an issue where a customer was unable to scan devices in a desirable range of IP (Internet Protocol) addresses.
- Fixed an issue where deploying agents fail if the password contains DOS special characters.
- Fixed an issue where a customer was unable to deploy agents.
- In this version, an appropriate image is shown on the topology map for the virtual switch in case the discovery scan was performed with VMware or WMI (Windows Management Instrumentation) credentials specified.
- Fixed an issue where legacy Ticketing reports would fail to render.
- Fixed an issue where Service Desk tickets would not auto close when the associated device exits alarm condition.
- Fixed an issue where users were not able to submit tickets through the legacy Ticketing portal.
Fixed an issue where the monthly schedules were incorrect when the distribution window runs into the following day.
- NOTE: Monthly schedules should be reapplied on endpoints (via policy management and/or locally in the module)
- Fixed an exception error when suppressing patches if a filter was applied.
- Fixed an issue where Live Connect on Demand failed to send an email containing a link to the temporary agent installation package.
- Fixed an issue where the Remote Control session would not request user permission again after VSA admin ends a session and then re-connects to the same machine, while the Live Connect session is still active.
- Fixed an issue where the VSA admin could not see the end-user mouse cursor in the Remote Control session on a macOS agent.
- Fixed an issue where a combination of single and double quote characters caused truncation of ticket summary.
- Fixed an issue where the secure flag was not being used for User Portal session cookies.
- Fixed an issue where icons would not be displayed in the left navigation bar for certain third-party integration (TAP) modules.