Login Sign Up

CVE-2021-43040

8.8 HIGH

📋 TL;DR

This vulnerability in Kaseya Unitrends Backup Appliance allows privileged vaultServer processes to create arbitrary writable files, enabling attackers to escalate privileges. It affects organizations using Kaseya Unitrends Backup Appliance for data protection. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • Kaseya Unitrends Backup Appliance
Versions: All versions before 10.5.5
Operating Systems: Appliance-specific Linux distribution
Default Config Vulnerable: ⚠️ Yes
Notes: This affects the backup appliance software specifically, not the underlying OS distribution.

📦 What is this software?

Unitrends Backup by Kaseya

View all CVEs affecting Unitrends Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Privilege escalation to root/system-level access, enabling attackers to manipulate backup data, access sensitive information, or pivot to other systems.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially containing the attack to the backup appliance.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires some technical knowledge but detailed analysis is publicly available in the referenced blog posts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.5

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

Restart Required: Yes

Instructions:

1. Backup all configurations and data. 2. Download and install version 10.5.5 from Kaseya support portal. 3. Follow appliance upgrade procedures. 4. Verify successful update and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the backup appliance from other systems to limit lateral movement potential.

Access Restriction

all

Limit administrative access to the appliance to only necessary personnel using strong authentication.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the appliance
  • Monitor for suspicious file creation activities and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the appliance version via web interface or SSH: cat /etc/unitrends/version

Check Version:

cat /etc/unitrends/version

Verify Fix Applied:

Verify version is 10.5.5 or later using the same command and check that vaultServer processes have proper file creation restrictions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation by vaultServer processes
  • Privilege escalation attempts
  • Unauthorized access to backup appliance logs

Network Indicators:

  • Unexpected outbound connections from backup appliance
  • Anomalous authentication patterns

SIEM Query:

source="backup-appliance" AND (process="vaultServer" AND action="file_create")

📊 Metadata

CVE ID: CVE-2021-43040
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: December 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON