6-year-old Kaseya vulnerability surfaces amid VSA supply chain attack

A six-year-old flaw lying in Kaseya's deprecated billing and customer support site has surfaced amid the ongoing attempt to rectify a supply chain attack on the vendor’s VSA product that has affected over 1000 businesses globally. 

Last week, the US-based IT infrastructure management solutions vendor discovered a potential security incident involving its VSA software, which is used by managed service providers (MSPs) to deliver IT management services to customers.  

John Hammond, senior security researcher at cyber security firm Huntress, said at the time that on 2 July, “many” Kaseya VSA servers were used to deploy ransomware, with the party behind the campaign appearing to be affiliated with the REvil group, which is believed to be linked with Russia.   

According to cyber security expert Brian Krebs, part of the chain involved the exploit CVE-2021-30116, which has been around since April. 

However, this isn't the only dated Kaseya-related vulnerability to be concerned about, with a new report posted by Krebs on his KrebsOnSecurity site claiming that security incident response firm Mandiant notified the vendor about a six-year-old vulnerability that was still around in an older version of its billing and customer support portal. 

The vulnerability, CVE-2015-2862, was issued in July 2015 and is a "directory traversal vulnerability" in Kaseya VSA that “allows remote authenticated users to read arbitrary files via a crafted HTTP request". 

Or in Krebs' words, the exploit allows "remote users to read any files on the server using nothing more than a web browser". 

According to comments Krebs received from Michael Sanders, executive VP of account management at Kaseya, the customer portal was taken offline due to a vulnerability report. 

Krebs also claimed Sanders said that although the portal was deprecated in 2018, the older site was still accessible online. 

However, the vulnerability may be worse than expected. Alex Holden, the person from which Mandiant heard about the vulnerability, as well as founder and CTO of cyber intelligence firm Hold Security, said he was able to access information without being an authenticated user, despite the CVE description. 

Krebs claims Holden was able to exploit CVE-2015-2862 to download the site's web.config server component file, which typically contain usernames, passwords and the location of key databases. 

"It's not like they forgot to patch something that Microsoft fixed years ago," Holden said to KrebsOnSecurity. "It's a patch for their own software. And it's not zero-day. It's from 2015!" 

KrebsOnSecurity claimed a written statement from Kaseya that it had seen said the portal was not involved with VSA product security incidents, and does not have access to any customer endpoints.