CVE-2021-43035
📋 TL;DR
Two unauthenticated SQL injection vulnerabilities in Kaseya Unitrends Backup Appliance allow attackers to execute arbitrary SQL queries as the postgres superuser. This leads to remote code execution and full compromise of the postgres account. Organizations using affected versions of the backup appliance are vulnerable.
💻 Affected Systems
- Kaseya Unitrends Backup Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, allowing attackers to steal sensitive backup data, deploy ransomware, pivot to other systems, and maintain persistent access.
Likely Case
Data exfiltration of backup archives, credential theft, and deployment of malware or ransomware payloads on the backup appliance.
If Mitigated
Limited impact if network segmentation isolates the appliance and strict access controls prevent lateral movement.
🎯 Exploit Status
Detailed exploit walkthroughs are publicly available, making exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.5.5
Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
Restart Required: Yes
Instructions:
1. Backup all configurations and data. 2. Download and apply the 10.5.5 update from the Kaseya support portal. 3. Restart the appliance as required by the update process. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Segmentation
allIsolate the backup appliance from untrusted networks and restrict access to only necessary administrative IPs.
Web Application Firewall
allDeploy a WAF with SQL injection protection rules to block exploit attempts.
🧯 If You Can't Patch
- Immediately disconnect the appliance from the internet and restrict network access to only trusted administrative systems.
- Implement strict monitoring for SQL injection attempts and postgres account activity in system logs.
🔍 How to Verify
Check if Vulnerable:
Check the appliance version via the web interface or SSH. If version is below 10.5.5, the system is vulnerable.Check Version:
ssh admin@<appliance_ip> 'cat /etc/unitrends/version'Verify Fix Applied:
Confirm the appliance version is 10.5.5 or higher after applying the update.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in postgres logs
- Authentication attempts from unexpected IPs to postgres
- Web server logs showing SQL injection payloads in HTTP requests
Network Indicators:
- Outbound connections from the appliance to unknown external IPs
- Unusual database traffic patterns
SIEM Query:
source="postgres_logs" AND (message="*sql injection*" OR message="*unusual query*")🔗 References
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2
