The VSA 9.5.7e (18.104.22.16898) release includes enhancements and fixes described in the topics below. For minimum system and agent requirements, see these topics in the Kaseya R95 System Requirements Guide: Kaseya Server Minimum Requirements & Configuration and Agent Minimum Requirements.
This release requires agent version 22.214.171.124. Be sure to update your Windows, Mac, and Linux agents after installing this release.
- Scaled SaaS deployment – Saturday, August 28th, 7am EST
- General Availability (on-prem customers) - Tuesday, August 31st, 8pm EST
- Full SaaS deployment – Saturday, September 4th, 7am EST
Note: SaaS customers will be informed of their maintenance window via https://status.kaseya.net.
Dates are subject to change at short notice. On-prem customers are advised to check this page again prior to attempting an upgrade.
Important Security Updates
*Updated August 31*
This release contains important security updates. We recommend on-premises customers update to this release as soon as possible (No action is required for SaaS customers as updates are automatically applied).
VSA Windows Agent Local Privilege Escalation
Severity: High (CVSS 7.8)
Summary: If a malicious actor had control of the endpoint with the ability to replace files that were written with an agent procedure, and the file was not placed in the system working directory on the agent endpoint (which is restricted to users with system permissions), privilege escalation was possible by overwriting files downloaded to the Kaseya agent into folders without sufficient ACL permissions (i.e. outside of the agent’s system working directory), those files could be run as SYSTEM. This vulnerability has been patched by performing an additional file integrity check after the file has been transferred, and some enhancements to the Agent Procedure editor to encourage the use of secure folders when creating procedures (details in Enhancements section below).
Remote Code Execution
Severity: Medium (CVSS 5.5)
Summary: A server executable allowed remote code execution if combined with unauthorized database access. The executable has now been removed. This vulnerability required the attacker to have achieved unauthorized access to the database.
User Portal: Home Page and Ticketing
This release contains fixes required to support the re-introduced User Portal functionality for On-Prem customers.
End users on machines with the VSA agent can access the portal in the same way they could prior to 9.5.7a, using the Agent Contact Administrator menu (double-click on the system tray icon).
Note – User Portal requires agent machines to have access to the VSA server on port 443. Please read this KB article for further information.
In this release, the User Portal provides the following functionality: -
- The home page displaying Machine ID and basic system information (the ability to create Custom Links will be restored in a later release)
- Ticket interface with the following ticket platforms: -
- VSA Service Desk (including automation tasks providing integration with 3rd party PSA’s via MSP Assist plugin)
- NextGen Ticketing / BMS.
The updated Ticketing interface provides the following functionality: -
- Create ticket
- Edit / Change ticket:
- Add Note
- Add Attachment
- Close ticket
- View Active or Closed tickets.
The following User Portal issues will be addressed in a future release: -
- User Portal does not load if the Service Desk module is not installed, even if the ticketing platform is NextGen Ticketing / BMS.
- Agent Menu redirect to Custom URL is not working. Customers that previously used this configuration to interface with BMS are recommended to use VSA User Portal instead.
- Changed display order for value type in getVariable() command so that "Secure Agent Working Directory Path" appears just before "Agent Working Directory Path".
- Added new SQL View Data variable called #vAgentConfiguration.agentTempSecureDir# which resolves to the System sub-directory of the agent working directory.
When selecting source file in writeFile() statement properties, the destination file path now defaults to #vAgentConfiguration.agentTempSecureDir#\[fileName] - where [filename] matches selected source file name.
- Disabled VSA user direct login by configuring an external identity provider to improve security posture. Added 2FA at an external SSO provider to ensure that the VSA users are not able to bypass this requirement by logging in directly.
- The maximum password change interval has been increased from 30 to 90 days. To change the interval, go to System > Server Management > Logon Policy page and enter a new value in the "Require password change every N days" box.
- Updated Automation Exchange icon in the taskbar to use current site links.
- Added a new field to System > Server Management > Configure page called "Change agent check-in name / IP address". A DNS name or IP address can be entered here if the default check-in address for new agents needs to be different from the webserver address specified in the "Change external name / IP address of Server" field.
- Fixed an issue where macOS agent installer crashes on machines running Big Sur when launched by double-clicking on the installer package.
- Fixed an issue where the legacy Uptime report failed to render.
- Fixed an issue with importing Monitor Sets, where an error would be displayed after pasting XML content.
- Fixed an issue where most menu items under the Authanvil module were missing after installing a VSA patch.
- Fixed an issue where customers can bypass two-factor authentication for an endpoint machine if they search the machine and try accessing it by clicking the agent icon.
- Fixed an issue where the attachment in the ticket was either corrupted or not getting attached at all.
- Fixed an issue where ticket changes made through User Portal were not evaluated correctly when executing Ticket Change Procedures, for example when using IF testIncidentProperty() statement.
- Fixed an issue where the Ticket Change Procedure was not executed if the Ticket status was changed via the REST API or using the User Portal Ticket interface.
- Fixed a Windows patch detection issue when using a Scan & Analysis profile with Kaseya Update 2.0 as Patch Strategy.
- Fixed an issue where Patch Scan would not detect required Service Stack Update (SSU) as missing on some machines, which would, in turn, prevent detection and deployment of other missing patches.
- Fixed an issue where import of XML content using System > Server Management > Import Center would fail in some environments. Note - for this fix to be effective, the data may need to be exported from the source system again or converted to the new format using this utility.
- Fixed an issue where User Portal would sometimes display "session is invalid" error when double-clicking on agent icon.
- User Portal will now display the Ticket menu only if BMS ticketing or Service Desk is configured on VSA. If the Service Desk is configured, the agent machine and default desk must belong to the Anonymous scope.
- Fixed an issue where incorrect times would be shown in Created and Last Updated columns of ticket grid.
- Fixed an issue where files attached to BMS tickets could not be downloaded from the User Portal ticket interface.
- Fixed an issue where the description field was not displayed in the User Portal ticket interface, and the ticket could not be submitted, on an agent running macOS with Safari as the default browser.
- Fixed an issue where the User Portal was not loaded on a SaaS agent machine because it was not directing to the correct web server address.
VSA Core Architecture
- Fixed a performance issue where repeatedly loading the login page could degrade system performance.