Two critical flaws addressed in cloud storage patch batch
Developers have resolved a series of vulnerabilities in storage technologies from Kaseya, including two critical flaws that each posed a remote code execution risk.
Two unauthenticated SQL injection vulnerabilities in the Kaseya Unitrends Backup Appliance (tracked as CVE-2021-43035) made it possible for potential attackers to inject arbitrary SQL queries under the Postgres superuser account.
Each of the flaws (rated with a CVSS score of 9.8, close to the maximum severity of 10.0) posed a remote code execution risk to Kaseya Unitrends Backup Appliance running vulnerable versions of the software, ranging from 10.0.x-10.5.4.
Users are advised to update to the patched software, version 10.5.5.
Back it up
An unrelated vulnerability in multiple functions in the Unitrends Backup Appliance bpserverd daemon also pose a similar remote code execution risk.
The CVE-2021-43033 vulnerability was also caused by “untrusted input (received by the server) being passed to system calls”.
The result of the security flaw – remediated by the installation of version 10.5.5 of the software – was an unauthenticated remote code execution risk also graded with a CVSS score of 9.8.
The same 10.5.5 update of Kaseya’s backup software also fixed a further 10 lesser severity vulnerabilities as described in detail in a security alert from the vendor.
Cybersecurity consultancies CyberOne and DIVD were credited with discovering and disclosing some of the vulnerabilities patched by Kaseya.
The Daily Swig approached both for comment, but neither had responded by the time of publication.
The discovery of the critical vulnerabilities in the Kaseya appliances show that the bundling of web server technologies in devices to make them easier to configure and run over the internet can sometimes open the door to web security flaws.
Kaseya merged with Unitrends in 2018.