cvelist/2021/30xxx/CVE-2021-30120.json

{
    "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-30120",
        "STATE": "PUBLIC",
        "TITLE": "2FA bypass in Kaseya VSA <= v9.5.6"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Kaseya VSA",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "9.x",
                                            "version_value": "9.5.6"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Kaseya"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "Discovered by Wietse Boonstra of DIVD"
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement.\n\nThe need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless.\n\nDetailed description\n---\nDuring the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.\n\n\n"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-305 Authentication Bypass by Primary Weakness"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",
                "refsource": "CONFIRM",
                "url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"
            },
            {
                "name": "https://csrit.divd.nl/DIVD-2021-00011",
                "refsource": "CONFIRM",
                "url": "https://csrit.divd.nl/DIVD-2021-00011"
            },
            {
                "name": "https://csrit.divd.nl/CVE-2021-30120",
                "refsource": "CONFIRM",
                "url": "https://csrit.divd.nl/CVE-2021-30120"
            }
        ]
    },
    "solution": [
        {
            "lang": "eng",
            "value": "Upgrade to a version above 9.5.6"
        }
    ],
    "source": {
        "advisory": "DIVD-2021-00011",
        "discovery": "INTERNAL"
    }
}
"-Synchronized-Data." 2021-04-02 08:00:54 +00:00			`{`
			`"CVE_data_meta": {`
			`"ASSIGNER": "cve@mitre.org",`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"ID": "CVE-2021-30120",`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`"STATE": "PUBLIC",`
			`"TITLE": "2FA bypass in Kaseya VSA <= v9.5.6"`
"-Synchronized-Data." 2021-04-02 08:00:54 +00:00			`},`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"product_name": "Kaseya VSA",`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"version": {`
			`"version_data": [`
			`{`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"version_affected": "<=",`
			`"version_name": "9.x",`
			`"version_value": "9.5.6"`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"vendor_name": "Kaseya"`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`}`
			`]`
			`}`
			`},`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`"credit": [`
			`{`
			`"lang": "eng",`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"value": "Discovered by Wietse Boonstra of DIVD"`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`}`
			`],`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2021-04-02 08:00:54 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			"value": "Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement.\n\nThe need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless.\n\nDetailed description\n---\nDuring the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.\n\n\n"
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`}`
			`]`
			`},`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "HIGH",`
			`"baseScore": 9.9,`
			`"baseSeverity": "CRITICAL",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "LOW",`
			`"scope": "CHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",`
			`"version": "3.1"`
			`}`
			`},`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"value": "CWE-305 Authentication Bypass by Primary Weakness"`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/",`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`"refsource": "CONFIRM",`
"-Synchronized-Data." 2021-07-09 14:00:56 +00:00			`"url": "https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/"`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`},`
			`{`
			`"name": "https://csrit.divd.nl/DIVD-2021-00011",`
			`"refsource": "CONFIRM",`
			`"url": "https://csrit.divd.nl/DIVD-2021-00011"`
			`},`
			`{`
			`"name": "https://csrit.divd.nl/CVE-2021-30120",`
			`"refsource": "CONFIRM",`
			`"url": "https://csrit.divd.nl/CVE-2021-30120"`
"-Synchronized-Data." 2021-04-02 08:00:54 +00:00			`}`
			`]`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`},`
Changes based on review by @vcartman 2022-03-04 13:24:11 +01:00			`"solution": [`
			`{`
			`"lang": "eng",`
			`"value": "Upgrade to a version above 9.5.6"`
			`}`
			`],`
Updating the CVEs for the Kaseya VSA case 2022-02-06 18:26:28 +01:00			`"source": {`
			`"advisory": "DIVD-2021-00011",`
Full disclosure Kaseya VSA 2022-03-02 20:25:43 +01:00			`"discovery": "INTERNAL"`
"-Synchronized-Data." 2021-04-02 08:00:54 +00:00			`}`
"-Synchronized-Data." 2022-02-07 16:01:52 +00:00			`}`