10 CVE-2021-30116
CISA Kev Catalog Local Execution Code Used by Malware Used by Ransomware Exploit
Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:Program Files (x86)KaseyaXXXXXXXXXXKaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
https://nvd.nist.gov/vuln/detail/CVE-2021-30116
Categories
CWE-522 : Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use an appropriate security mechanism to protect the credentials. Make appropriate use of cryptography to protect the credentials. Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.). A messaging platform serializes all elements of User/Group objects, making private information available to adversaries Initialization file contains credentials that can be decoded using a "simple string transformation" Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data. Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens. Building Controller uses a protocol that transmits authentication credentials in plaintext. Programmable Logic Controller (PLC) sends password in plaintext. Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext. Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. Web application password change utility doesn't check the original password. product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
References
af854a3a-2127-422b-91ae-364da2661108 Exploit
cve@mitre.org Exploit
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:kaseya:vsa_agent:*:*:*:*:*:*:*:* |
|
< 9.5.0.24 |
| cpe:2.3:a:kaseya:vsa_server:*:*:*:*:*:*:*:* |
|
< 9.5.7a |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 102 |
Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token. [Detect Unprotected Session Token Transfer] The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens. [Capture session token] The attacker uses sniffing tools to capture a session token from traffic. [Insert captured session token] The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation. [Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim. |
High |
| 474 |
Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. |
High |
| 50 |
Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Understand the password recovery mechanism and how it works. Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer. |
High |
| 509 |
Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials. Scan for user accounts with set SPN values Request service tickets Extract ticket and save to disk Crack the encrypted ticket to harvest plain text credentials |
High |
| 551 |
Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used. |
|
| 555 |
Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed. |
Very High |
| 560 |
Use of Known Domain Credentials
[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each credential until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application. |
High |
| 561 |
Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. [Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares. [Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access. [Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain. [Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares. |
|
| 600 |
Credential Stuffing
[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service. [Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria. [Attempt authentication] Try each username/password combination until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application [Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within the system or application. |
High |
| 644 |
Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. [Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain. [Attempt domain authentication] Try each Windows credential hash value pair until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications. |
High |
| 645 |
Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain. |
High |
| 652 |
Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. [Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain. [Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications. |
High |
| 653 |
Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. [Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain. [Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access. [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network [Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks. [Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration. |
High |
MITRE
Techniques
| id |
description |
| T1021 |
Remote Services |
| T1021.002 |
Remote Services:SMB/Windows Admin Shares |
| T1078 |
Valid Accounts |
| T1110.004 |
Brute Force:Credential Stuffing |
| T1114.002 |
Email Collection:Remote Email Collection |
| T1133 |
External Remote Services |
| T1543 |
Create or Modify System Process |
| T1550.002 |
Use Alternate Authentication Material:Pass The Hash |
| T1550.003 |
Use Alternate Authentication Material:Pass The Ticket |
| T1552.004 |
Unsecured Credentials: Private Keys |
| T1558 |
Steal or Forge Kerberos Tickets |
| T1558.003 |
Steal or Forge Kerberos Tickets:Kerberoasting |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| T1021 |
Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
| T1021.002 |
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems. |
| T1078 |
Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications. |
| T1110.004 |
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts. |
| T1114.002 |
Use secure out-of-band authentication methods to verify the authenticity of critical actions initiated via email, such as password resets, financial transactions, or access requests.
For highly sensitive information, utilize out-of-band communication channels instead of relying solely on email. This reduces the risk of sensitive data being collected through compromised email accounts.
Set up out-of-band alerts to notify security teams of unusual email activities, such as mass forwarding or large attachments being sent, which could indicate email collection attempts.
Create plans for leveraging a secure out-of-band communications channel, rather than an existing in-network email server, in case of a security incident. |
| T1133 |
Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. |
| T1543 |
Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations. |
| T1550.002 |
Do not allow a domain user to be in the local administrator group on multiple systems. |
| T1550.003 |
Do not allow a user to be a local administrator for multiple systems. |
| T1552.004 |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the `nonexportable` flag during RSA key pair generation. |
| T1558 |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. |
| T1558.003 |
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
