Information Security News mailing list archives
Brit infosec bod finds Kaseya 'master admin' remote code exec holes
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 24 Sep 2015 08:14:16 +0000 (UTC)
http://www.theregister.co.uk/2015/09/24/brit_infosec_bod_finds_kaseya_master_admin_remote_code_exec_holes/ By Darren Pauli The Register 24 Sep 2015Three remote code execution and privilege escalation flaws have been reported in the Kaseya IT management software which when chained enable unauthenticated attackers to gain 'master admin' status.
The remote upload holes reported by British Agile Information Security bod Pedro Ribeiro and since patched allow attackers to upload arbitrary code to Kaseya Virtual System Administrator.
Any net crim can exploit words one vulnerability (CVE-2015-6922) to upload and execute arbitrary code on the server under the context of IIS.
That flaw rated a severity score of 7.5 exists within the uploader.aspx page which fails to enforce authentication and does not restrict destination file paths.
A privilege escalation flaw in the same feature and also rated 7.5 uin severity will make attackers 'master admins'.
[...] -- Evident.io - Continuous Cloud Security for AWS. Identify and mitigate risks in 5 minutes or less. Sign up for a free trial @ https://evident.io/
Current thread:
- Brit infosec bod finds Kaseya 'master admin' remote code exec holes InfoSec News (Sep 24)