2FA bypass in Kaseya VSA <= v9.5.6
CVE-2021-30120

9.9CRITICAL

Key Information:

Vendor

Kaseya

Status
Vsa
Vendor
CVE Published:
9 July 2021

What is CVE-2021-30120?

Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.

References

https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
x_refsource_CONFIRM
https://csrit.divd.nl/DIVD-2021-00011
x_refsource_CONFIRM
https://csrit.divd.nl/CVE-2021-30120
x_refsource_CONFIRM

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Wietse Boonstra of DIVD
.