Vulnerability Description
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user authenticates with username and password, the server sends a response to the client with the booleans MFARequired and MFAEnroled. If the attacker has obtained a password of a user and used an intercepting proxy (e.g. Burp Suite) to change the value of MFARequered from True to False, there is no prompt for the second factor, but the user is still logged in.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaseya | Vsa | <= 9.5.6 |
Related Weaknesses (CWE)
References
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/PatchThird Party Advisory
- https://csrit.divd.nl/CVE-2021-30120Permissions RequiredThird Party Advisory
- https://csrit.divd.nl/DIVD-2021-00011Permissions RequiredThird Party Advisory
- https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/PatchThird Party Advisory
- https://csrit.divd.nl/CVE-2021-30120Permissions RequiredThird Party Advisory
- https://csrit.divd.nl/DIVD-2021-00011Permissions RequiredThird Party Advisory
FAQ
What is CVE-2021-30120?
CVE-2021-30120 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Th...
How severe is CVE-2021-30120?
CVE-2021-30120 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-30120?
Check the references section above for vendor advisories and patch information. Affected products include: Kaseya Vsa.