CVE-2021-43042 – A buffer overflow vulnerability in the vaultSer... (How to Fix)

Q: What is the severity of CVE-2021-43042?

CVE-2021-43042 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in the vaultServer component of Kaseya Unitrends Backup Appliance allows remote unauthenticated attackers to execute arbitrary code or cause denial of service. This affects all systems running versions before 10.5.5. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

A buffer overflow vulnerability in the vaultServer component of Kaseya Unitrends Backup Appliance allows remote unauthenticated attackers to execute arbitrary code or cause denial of service. This affects all systems running versions before 10.5.5. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Kaseya Unitrends Backup Appliance

Versions: All versions before 10.5.5

Operating Systems: Appliance-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: The vaultServer component is part of the standard appliance configuration and is vulnerable by default.

📦 What is this software?

Unitrends Backup by Kaseya

View all CVEs affecting Unitrends Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Remote code execution allowing attackers to gain control of the backup appliance, potentially compromising backup data and using the system as an entry point for further attacks.

🟢

If Mitigated

Limited impact if the appliance is isolated behind firewalls with strict network controls, though the vulnerability remains present.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing systems extremely vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated exploitation, posing significant risk to internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Detailed exploitation techniques have been publicly documented in multiple blog posts, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.5

Vendor Advisory: https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961

Restart Required: Yes

Instructions:

1. Backup all configurations and data. 2. Download and install version 10.5.5 from Kaseya support portal. 3. Apply the update through the appliance management interface. 4. Restart the appliance as required.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the backup appliance from untrusted networks and restrict access to only trusted management systems.

Firewall Rules

all

Implement strict firewall rules to block external access to the vaultServer component ports.

🧯 If You Can't Patch

Immediately isolate the appliance from all networks except absolutely necessary management connections
Implement strict network monitoring and intrusion detection for any traffic to the appliance

🔍 How to Verify

Check if Vulnerable:

Check the appliance version in the web management interface. If version is below 10.5.5, the system is vulnerable.

Check Version:

Check via web interface at https://[appliance-ip]/ or use appliance-specific CLI commands if available

Verify Fix Applied:

Verify the appliance shows version 10.5.5 or higher in the management interface after patching.

📡 Detection & Monitoring

Log Indicators:

Unusual network connections to vaultServer ports
Crash logs from vaultServer process
Unauthenticated access attempts to backup services

Network Indicators:

Traffic patterns matching known exploit payloads
Unexpected connections to vaultServer default ports

SIEM Query:

source="appliance_logs" AND (process="vaultServer" AND event="crash") OR (destination_port IN (vault_server_ports) AND auth_status="failed")

📊 Metadata

CVE ID: CVE-2021-43042

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: December 6, 2021

Last Updated: November 21, 2024

🔗 References

https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 Vendor Advisory
https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1 Exploit,Third Party Advisory
https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2 Exploit,Third Party Advisory
https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961 Vendor Advisory
https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-1 Exploit,Third Party Advisory
https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-appliance-part-2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43042, you might also want to check these: