Authentication bypass in Kaseya VSA

Abstract

A security vulnerability was found in Kaseya VSA that allows users to view remote computers that they are not authorised to view. Using this vulnerability a user that is authenticated to view at least one remote computer can view ever machines in the Kaseya application.

Tested versions

This issue was successfully tested on version R9.2

Fix

Patch to the latest version of VSA.

Introduction

Kaseya VSA allows a company to manage computers deployed all over the world from a central interface, sometimes hosted in their own environment, and other times as a SAAS. This system is designed to centralise IT automation including patch management, inventory management, remote monitoring, remote access and more. Some of the functionality of this management backend includes:

  • Ability to take a screenshot remote computer
  • Ability to download files form remote computer
  • Ability to upload files to remote computer
  • Ability to reboot / shutdown remote computer

This issue was found in the ability to view the remote computers. This issue should be present on every function with the remote computers. We were not able to test if every function was vulnerable due to limited scope.

Details

An authenticated user in Kaseya for viewing some remote computers can view every remote computer on the server. This is done via changing the URL to point to the remote computer that the person wants to view. As stated above, this issue should be present in all calls to the remote computer, but due to scope, we could not test every vector.

Steps to reproduce

  • Change the agentGuid in the URL:

Vragen of feedback?