ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.In February 2019, attackers actively exploited this vulnerability in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server.
PoC代码[已公开]
id: CVE-2017-18362
info:
name: Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
author: pussycat0x
severity: critical
description: |
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.In February 2019, attackers actively exploited this vulnerability in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server.
impact: |
Unauthenticated attackers can execute arbitrary SQL queries to access and modify the Kaseya VSA database, deploy ransomware to all managed endpoints, and potentially compromise entire customer infrastructures.
remediation: |
Disable or remove the ConnectWise ManagedITSync integration. If required, apply the latest security patches and restrict access to the ManagedIT.asmx endpoint.
reference:
- https://github.com/kbni/owlky
- https://www.huntress.com/blog/cve-2017-18362-arbitrary-sql-injection-in-mangeditsync-integration-ba142ff24f4d
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-18362
cwe-id: CWE-89
epss-score: 0.81865
epss-percentile: 0.99161
cpe: cpe:2.3:a:connectwise:manageditsync:*:*:*:*:*:kaseya_vsa:*:*
metadata:
vendor: connectwise
product: manageditsync
framework: kaseya_vsa
tags: cve,cve2017,kaseya,connectwise,sqli,kev,vkev
http:
- raw:
- |
GET /KaseyaCwWebService/ManagedIT.asmx HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_any(body, 'ManagedIT.asmx?op=', 'ExecuteSQLQuery')
- status_code == 200
condition: and
# digest: 490a004630440220032ba485f86b23325e0182ae5769648f127e44e5780e3b19fa9a8ada669770ea022005628f653bdd4b0cc4486797be4bc75b94f417c10f737d69ec1568e20235a857:922c64590222798bb761d5b6d8e72950