Fixed two critical bugs in the cloud storage patch batch
Developers have a number of Weak points in Kaseya storage technologies, including two critical bugs, each of which presented a risk to remote code execution.
Two unauthenticated SQL injection vulnerabilities in the Kaseya Unitrends Backup Appliance (tracked as CVE-2021-43035) allowed potential attackers to inject arbitrary SQL queries under the Postgres superuser account.
Each of the errors (rated with a CVSS score of 9.8, near the maximum severity of 10.0) turned out to be Remote code execution Risk to the Kaseya Unitrends Backup Appliance which is running vulnerable versions of the software ranging from 10.0.x-10.5.4.
It is recommended that users upgrade to version 10.5.5 of the patched software.
An independent vulnerability in several functions of the Unitrends Backup Appliance bpserverd Daemons also pose a similar risk to remote code execution.
the CVE-2021-43033 The vulnerability was also caused by “untrusted input (received from the server) being passed to system calls.”
The result of the vulnerability – fixed by installing version 10.5.5 of the software – was an unauthenticated remote code execution risk, which was also rated with a CVSS score of 9.8.
The same update 10.5.5 of the backup software from Kaseya also fixed another 10 vulnerabilities of lower severity, as in a. described in detail Security alert from the provider.
Cyber security consultancies CyberOne and DIVD are credited with discovering and disclosing some of the vulnerabilities patched by Kaseya.
The daily sip contacted both for comment, but neither had replied at the time of publication.
The discovery of the critical vulnerabilities in the Kaseya appliances shows that bundling web server technologies into devices to make them easier to configure and operate over the Internet can sometimes open the door to security loopholes on the web.
Kaseya merges with Unitrends in 2018.
#Critical #web #security #flaws #Kaseya #Unitrends #backup #appliances #addressed #disclosure #researchers