Add CVE-2021-30116 (KEV and vKEV)

Author: daffainfo

http/cves/2021/CVE-2021-30116.yaml

@@ -0,0 +1,71 @@
+id: CVE-2021-30116
+
+info:
+  name: Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent
+  author: daffainfo
+  severity: critical
+  description: |
+    Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.
+  remediation: |
+    Update to version 9.5.7 or later to remediate this vulnerability.
+  reference:
+    - https://csirt.divd.nl/2021/07/04/Kaseya-Case-Update-2/
+    - https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/
+    - https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021
+    - https://www.secpod.com/blog/kaseya-vsa-zero-day-by-revil/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-30116
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2021-30116
+    cwe-id: CWE-522
+    cpe: cpe:2.3:a:kaseya:virtual_system_administrator:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: kaseya
+    product: virtual_system_administrator
+    shodan-query: http.favicon.hash:-1445519482
+  tags: cve,cve2021,kaseya,virtual_system_administrator,kev,vkev
+
+flow: |
+  http(1)
+  for (let mkdefault_id of iterate(template.id)) {
+    set("mkdefault_id", mkdefault_id)
+    http(2)
+  }
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dl.asp"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains_all(body, '<title>Download Agent</title>', 'mkDefault.asp?id=')"
+          - "status_code == 200"
+        condition: and
+        internal: true
+
+    extractors:
+      - type: regex
+        name: id
+        group: 1
+        internal: true
+        regex:
+          - 'mkDefault\.asp\?id=([0-9-]+)'
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/mkDefault.asp?id={{mkdefault_id}}"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - "Location: /install/VSA-default-([0-9-]+)/KcsSetup\\.exe"
+
+      - type: status
+        status:
+          - 302