Critical web security flaws in Kaseya Unitrends backup appliances were addressed after disclosure by the researchers


Fixed two critical bugs in the cloud storage patch batch

Developers have addressed a number of vulnerabilities in Kaseya storage technologies

Developers have a number of Weak points in Kaseya storage technologies, including two critical bugs, each of which presented a risk to remote code execution.

Two unauthenticated SQL injection vulnerabilities in the Kaseya Unitrends Backup Appliance (tracked as CVE-2021-43035) allowed potential attackers to inject arbitrary SQL queries under the Postgres superuser account.

Each of the errors (rated with a CVSS score of 9.8, near the maximum severity of 10.0) turned out to be Remote code execution Risk to the Kaseya Unitrends Backup Appliance which is running vulnerable versions of the software ranging from 10.0.x-10.5.4.

It is recommended that users upgrade to version 10.5.5 of the patched software.

Secure them

An independent vulnerability in several functions of the Unitrends Backup Appliance bpserverd Daemons also pose a similar risk to remote code execution.

the CVE-2021-43033 The vulnerability was also caused by “untrusted input (received from the server) being passed to system calls.”

The result of the vulnerability – fixed by installing version 10.5.5 of the software – was an unauthenticated remote code execution risk, which was also rated with a CVSS score of 9.8.

The same update 10.5.5 of the backup software from Kaseya also fixed another 10 vulnerabilities of lower severity, as in a. described in detail Security alert from the provider.

Read about the latest SQL injection news

Cyber ​​security consultancies CyberOne and DIVD are credited with discovering and disclosing some of the vulnerabilities patched by Kaseya.

The daily sip contacted both for comment, but neither had replied at the time of publication.

The discovery of the critical vulnerabilities in the Kaseya appliances shows that bundling web server technologies into devices to make them easier to configure and operate over the Internet can sometimes open the door to security loopholes on the web.

Kaseya merges with Unitrends in 2018.

TIED TOGETHER Web security bug discovered in the CATIE framework for assisted living

Source link
#Critical #web #security #flaws #Kaseya #Unitrends #backup #appliances #addressed #disclosure #researchers

Leave a Reply