U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution.
The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021.
The IT infrastructure management solution provider has addressed the issues in server software version 10.5.5-2 released on August 12, DIVD said. An as-yet-undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched, but the company has published firewall rules that can be applied to filter traffic to and from the client and mitigate any risk associated with the flaw. As an additional precaution, it’s recommended not to leave the servers accessible over the internet.
Although specifics related to the vulnerabilities are sparse, the shortcomings concern an authenticated remote code execution vulnerability as well as a privilege escalation flaw from read-only user to admin on Unitrends servers, both of which hinge on the possibility that an attacker has already gained an initial foothold on a target’s network, making them more difficult to exploit.
The disclosure comes close to two months after the company suffered a crippling ransomware strike on its VSA on-premises product, leading to the mysterious shutdown of REvil cybercrime syndicate in the following weeks. Kaseya has since shipped fixes for the zero-days that were exploited to gain access to the on-premise servers, and late last month, said it obtained a universal decryptor “to remediate customers impacted by the incident.”