Page 1 of 2
A security researcher demonstrated zero-day vulnerabilities in MSP platforms of Kaseya and ManageEngine, according to a report.
The researcher, whose name was withheld, presented the findings at the Kiwicon security conference in Wellington, New Zealand, according to SC Magazine in Australia.
In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent, according to SC Magazine. The script was accepted due to a vulnerability in which the MSP failed to properly validate its database, according to the report.
[Related: When Disaster Strikes: Let These VARs Tell You What Can Happen]
The researcher's demonstration of a ManageEngine vulnerability, which reportedly spoofed agent registration in version six of the MSPCentre Plus agent, failed during the conference, but the researcher said the exploit still worked, according to the report. The researcher also cited a previous vulnerability in N-able Technologies' N-central platform that has since been patched.
A Kaseya spokesperson said the company was alerted to the vulnerability through the New Zealand presentation and has successfully reproduced the attack. The company will release a hotfix to all customers Monday afternoon, she added.
Kaseya also has been unsuccessful in contacting the presenter, who goes by the name "Cartel."
"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system. We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two as is the case here," the spokesperson wrote in an email.
The report says the research previously found a vulnerability in N-central, which is the MSP platform for N-able Technologies, but an N-able spokesperson said the report may have an incorrect reference to N-able because N-central doesn't have a "rescue me" option.
"At N-able, we take any security-related issue very seriously, and work hard to ensure that any security-related issues brought to our attention are resolved as quickly as possible. N-able does not have a 'Rescue Me' option on the N-central platform, and to our knowledge, nobody on our team has been in communication with SC Magazine with regard to this story. As such, we believe that our name was incorrectly referenced in this story," the spokesperson wrote in an email.
Executives from ManageEngine could not be reached for immediate comment.
