External risk intelligence

Kaseya VSA Database Access Vulnerability

CVE advisoryKnown Exploit

CVE-2017-18362

Unauthenticated commands through a Kaseya VSA integration can grant attackers direct database access, enabling arbitrary SQL queries. This has been exploited to deploy ransomware on managed endpoints, posing a significant risk to organizational systems and data.

4Halo Surface Signal

SQL Injection

Connectwise Manageditsync

2017 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2017-18362

The vulnerability resides in a web-based integration component (ManagedIT.asmx) used within Kaseya VSA. As a management and integration interface, such web-accessible endpoints are commonly exposed to the network to facilitate remote administration and synchronization between platforms, making them a likely target for reachable internet-facing deployment.

Horizon Alert

Summary of the vulnerability and why it matters

The ConnectWise ManagedITSync integration for Kaseya VSA contains a weakness that allows unauthenticated remote commands. This vulnerability can provide full, direct access to the Kaseya VSA database. Attackers have exploited this flaw to deploy ransomware on endpoints managed by the affected server.

Vulnerable integration component
Unauthenticated database access
Widespread ransomware deployment

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could gain direct database access to a Kaseya VSA server through the ConnectWise ManagedITSync integration. This access allows for arbitrary SQL queries, enabling attackers to read or write data. In known campaigns, this vulnerability was exploited to deploy ransomware on managed endpoints.

Vulnerable integration is exposed externally.
Attacker sends unauthenticated SQL queries.
Commands execute, impacting systems and data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to gain full access to a Kaseya VSA database. This could lead to the execution of arbitrary SQL queries, potentially resulting in the compromise of sensitive data and the deployment of malicious payloads like ransomware on managed endpoints. The exploitation of this vulnerability has been observed in active campaigns.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows unauthenticated remote commands, granting direct access to the Kaseya VSA database. Attackers have exploited this to deploy ransomware on managed endpoints. Organizations with the ManagedIT.asmx page accessible via the Kaseya VSA web interface are at risk of arbitrary SQL queries, leading to potential data compromise and system control.

Find assets with the affected integration.
Restrict access to the integration's web interface.
Address the vulnerability and monitor systems.

Frequently asked questions

What is ConnectWise ManagedITSync for Kaseya VSA?

ConnectWise ManagedITSync is an integration component used with Kaseya VSA, a remote monitoring and management software. It facilitates synchronization and management tasks between different IT systems, allowing IT professionals to oversee and control multiple endpoints and networks efficiently. This integration is designed to streamline IT operations by connecting various management tools.

What is the weakness in CVE-2017-18362?

CVE-2017-18362 is a SQL injection vulnerability (CWE-89). This means an attacker can send specially crafted SQL commands through the ManagedIT.asmx interface to manipulate the Kaseya VSA database. This allows them to read sensitive data or execute commands without needing any authentication, potentially leading to a full compromise of the database.

How can an attacker exploit this Kaseya VSA vulnerability?

An attacker can exploit this vulnerability if the ManagedIT.asmx page is accessible via the Kaseya VSA web interface. They can then send unauthenticated SQL queries to the system. If the web interface is not exposed externally, or if the specific integration is not in use, the bug would not be triggered.

Who should be concerned about CVE-2017-18362?

Organizations using Kaseya VSA with the ConnectWise ManagedITSync integration are at risk. This vulnerability is classified as external, meaning it can be targeted over the network. If your Kaseya VSA is internet-facing, it's crucial to assess your exposure to this threat.

What is the first step for responding to this CVE?

The initial step is to identify any assets running the affected Kaseya VSA versions with the ConnectWise ManagedITSync integration. If the ManagedIT.asmx page is accessible, restrict direct access to its web interface immediately and investigate the integration's usage and security posture.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.