Kaseya Backup Appliance Critical Flaws !
Share this:
Developers have resolved a series of vulnerabilities in storage technologies from Kaseya, including two critical flaws that each posed a remote code execution risk.
Two unauthenticated SQL injection vulnerabilities in the Kaseya Unitrends Backup Appliance (CVE-2021-43035) made it possible for potential attackers to inject arbitrary SQL queries under the Postgres superuser account.
Each of the flaws (rated with a CVSS score of 9.8, close to the maximum severity of 10.0) posed a remote code execution risk to Kaseya Unitrends Backup Appliance running vulnerable versions of the software, ranging from 10.0.x-10.5.4.
Users are advised to update to the patched software, version 10.5.5. An unrelated vulnerability in multiple functions in the Unitrends Backup Appliance bpserverd daemon also pose a similar remote code execution risk caused by “untrusted input (received by the server) being passed to system calls”.
The result of the security flaw remediated by the installation of version 10.5.5 of the software was an unauthenticated remote code execution risk also graded with a CVSS score of 9.8. The same 10.5.5 update of Kaseya’s backup software also fixed a further 10 lesser severity vulnerabilities as described in detail in a security alert from the vendor.
The discovery of the critical vulnerabilities in the Kaseya appliances show that the bundling of web server technologies in devices to make them easier to configure and run over the internet can sometimes open the door to web security flaws.
