CVE-2021-43037
📋 TL;DR
CVE-2021-43037 is a privilege escalation vulnerability in Kaseya Unitrends Backup Appliance Windows agent due to insecure default permissions that allow DLL injection and binary planting. An unprivileged local user can exploit this to gain SYSTEM-level privileges. This affects organizations using vulnerable versions of the Kaseya Unitrends Backup Appliance.
💻 Affected Systems
- Kaseya Unitrends Backup Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains full SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data destruction.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and access sensitive backup data.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though the vulnerability still provides a foothold for attackers.
🎯 Exploit Status
Exploitation requires local access to the system. Detailed exploitation techniques have been publicly documented in security blogs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.5.5
Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
Restart Required: Yes
Instructions:
1. Download and install Kaseya Unitrends Backup Appliance version 10.5.5 or later from the Kaseya portal. 2. Apply the update to all affected Windows agents. 3. Restart the backup services or the entire system as required.
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually adjust file permissions on the vulnerable directories to prevent unprivileged users from writing DLL files.
icacls "C:\Program Files\Unitrends\" /deny Users:(OI)(CI)W
icacls "C:\ProgramData\Unitrends\" /deny Users:(OI)(CI)W
Remove Unnecessary User Access
windowsRemove local user accounts that don't require access to backup systems and implement least privilege principles.
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into systems running the vulnerable agent
- Deploy endpoint detection and response (EDR) solutions to monitor for DLL injection attempts and privilege escalation activities
🔍 How to Verify
Check if Vulnerable:
Check the Unitrends agent version by navigating to the agent interface or checking the installed programs list for version numbers below 10.5.5.Check Version:
wmic product where name="Unitrends" get versionVerify Fix Applied:
Verify the installed version is 10.5.5 or higher in the Unitrends management console or via the agent properties.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Security logs showing privilege escalation attempts
- Application logs showing unexpected agent behavior
Network Indicators:
- Unusual outbound connections from backup systems
- Anomalous authentication patterns to backup appliances
SIEM Query:
EventID=4688 AND (ProcessName LIKE '%Unitrends%' OR CommandLine CONTAINS 'Unitrends') AND NewProcessName CONTAINS '.dll'🔗 References
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2
