Merge pull request intrigueio#369 from intrigueio/kaseya-multiple-cve…

…-try2 Kaseya multiple CVE try2
47hunt · Jul 9, 2021 · 43f718e · 43f718e
2 parents 5264983 + cdddf83
commit 43f718e
Show file tree

Hide file tree

Showing 6 changed files with 332 additions and 0 deletions.
diff --git a/lib/checks/kaseya_cve_2021_30116.rb b/lib/checks/kaseya_cve_2021_30116.rb
@@ -0,0 +1,58 @@
+
+module Intrigue
+
+  module Issue
+    class KaseyaCve202130116 < BaseIssue
+      def self.generate(instance_details={})
+      {
+        added: "2021-07-09",
+        name: "kaseya_cve_2021_30116",
+        pretty_name: "Kaseya Credential Disclosure (CVE-2021-30116)",
+        identifiers: [
+          { type: "CVE", name: "CVE-2021-30116" }
+        ],
+        severity: 1,
+        category: "vulnerability",
+        status: "potential",
+        description: "Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021.",
+        affected_software: [ 
+          { :vendor => "Kaseya", :product => "Virtual System Administrator" }
+        ],
+        references: [
+          { type: "description", uri: "https://nvd.nist.gov/vuln/detail/CVE-2021-30116" },
+          { type: "description", uri: "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021" }
+        ],
+        authors: ["shpendk"]
+      }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130116 < BaseCheck 
+    def self.check_metadata
+      {
+        allowed_types: ["Uri"]
+      }
+    end
+
+    # return truthy value to create an issue
+    def check
+
+      # get enriched entity
+      require_enrichment
+
+      # get version for product
+      version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+      return false unless version
+
+      # if its vulnerable, return some proof
+      if compare_versions_by_operator(version, "9.5.7" , "<")
+        return "Asset is vulnerable based on fingerprinted version #{version}"
+      end
+    end
+
+    end
+  end
+
+  end
diff --git a/lib/checks/kaseya_cve_2021_30117.rb b/lib/checks/kaseya_cve_2021_30117.rb
@@ -0,0 +1,58 @@
+
+module Intrigue
+
+  module Issue
+    class KaseyaCve202130117 < BaseIssue
+      def self.generate(instance_details={})
+      {
+        added: "2021-07-09",
+        name: "kaseya_cve_2021_30117",
+        pretty_name: "Kaseya Credential Disclosure (CVE-2021-30117)",
+        identifiers: [
+          { type: "CVE", name: "CVE-2021-30117" }
+        ],
+        severity: 1,
+        category: "vulnerability",
+        status: "potential",
+        description: "SQL injection exists in Kaseya VSA before 9.5.6.",
+        affected_software: [ 
+          { :vendor => "Kaseya", :product => "Virtual System Administrator" }
+        ],
+        references: [
+          { type: "description", uri: "https://nvd.nist.gov/vuln/detail/CVE-2021-30117" },
+          { type: "description", uri: "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021" }
+        ],
+        authors: ["shpendk"]
+      }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130117 < BaseCheck 
+    def self.check_metadata
+      {
+        allowed_types: ["Uri"]
+      }
+    end
+
+    # return truthy value to create an issue
+    def check
+
+      # get enriched entity
+      require_enrichment
+
+      # get version for product
+      version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+      return false unless version
+
+      # if its vulnerable, return some proof
+      if compare_versions_by_operator(version, "9.5.6" , "<")
+        return "Asset is vulnerable based on fingerprinted version #{version}"
+      end
+    end
+
+    end
+  end
+
+  end
diff --git a/lib/checks/kaseya_cve_2021_30118.rb b/lib/checks/kaseya_cve_2021_30118.rb
@@ -0,0 +1,54 @@
+module Intrigue
+  module Issue
+    class KaseyaCve202130118 < BaseIssue
+      def self.generate(instance_details = {})
+        {
+          added: '2021-07-09',
+          name: 'kaseya_cve_2021_30118',
+          pretty_name: 'Kaseya VSA RCE (CVE-2021-30118)',
+          identifiers: [
+            { type: 'CVE', name: 'CVE-2021-30118' }
+          ],
+          severity: 1,
+          category: 'vulnerability',
+          status: 'potential',
+          description: 'Kaseya VSA before 9.5.5 allows remote code execution.',
+          affected_software: [
+            { vendor: 'Kaseya', product: 'Virtual System Administrator' }
+          ],
+          references: [
+            { type: 'description', uri: 'https://nvd.nist.gov/vuln/detail/CVE-2021-30118' },
+            { type: 'description',
+              uri: 'https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021' }
+          ],
+          authors: ['adambakalar']
+        }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130118 < BaseCheck
+      def self.check_metadata
+        {
+          allowed_types: ['Uri']
+        }
+      end
+
+      # return truthy value to create an issue
+      def check
+        # get enriched entity
+        require_enrichment
+
+        # get version for product
+        version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+        return false unless version
+
+        # if its vulnerable, return some proof
+        if compare_versions_by_operator(version, '9.5.5', '<')
+          return "Asset is vulnerable based on fingerprinted version #{version}"
+        end
+      end
+    end
+  end
+end
diff --git a/lib/checks/kaseya_cve_2021_30119.rb b/lib/checks/kaseya_cve_2021_30119.rb
@@ -0,0 +1,54 @@
+module Intrigue
+  module Issue
+    class KaseyaCve202130119 < BaseIssue
+      def self.generate(instance_details = {})
+        {
+          added: '2021-07-09',
+          name: 'kaseya_cve_2021_30119',
+          pretty_name: 'Kaseya VSA XSS (CVE-2021-30119)',
+          identifiers: [
+            { type: 'CVE', name: 'CVE-2021-30119' }
+          ],
+          severity: 3,
+          category: 'vulnerability',
+          status: 'potential',
+          description: 'Cross Site Scripting (XSS) exists in Kaseya VSA before 9.5.7.',
+          affected_software: [
+            { vendor: 'Kaseya', product: 'Virtual System Administrator' }
+          ],
+          references: [
+            { type: 'description', uri: 'https://nvd.nist.gov/vuln/detail/CVE-2021-30119' },
+            { type: 'description',
+              uri: 'https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021' }
+          ],
+          authors: ['adambakalar']
+        }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130119 < BaseCheck
+      def self.check_metadata
+        {
+          allowed_types: ['Uri']
+        }
+      end
+
+      # return truthy value to create an issue
+      def check
+        # get enriched entity
+        require_enrichment
+
+        # get version for product
+        version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+        return false unless version
+
+        # if its vulnerable, return some proof
+        if compare_versions_by_operator(version, '9.5.7', '<')
+          return "Asset is vulnerable based on fingerprinted version #{version}"
+        end
+      end
+    end
+  end
+end
diff --git a/lib/checks/kaseya_cve_2021_30120.rb b/lib/checks/kaseya_cve_2021_30120.rb
@@ -0,0 +1,54 @@
+module Intrigue
+  module Issue
+    class KaseyaCve202130120 < BaseIssue
+      def self.generate(instance_details = {})
+        {
+          added: '2021-07-09',
+          name: 'kaseya_cve_2021_30120',
+          pretty_name: 'Kaseya VSA 2FA Bypass (CVE-2021-30120)',
+          identifiers: [
+            { type: 'CVE', name: 'CVE-2021-30120' }
+          ],
+          severity: 2,
+          category: 'vulnerability',
+          status: 'potential',
+          description: 'Kaseya VSA through 9.5.7 allows attackers to bypass the 2FA requirement.',
+          affected_software: [
+            { vendor: 'Kaseya', product: 'Virtual System Administrator' }
+          ],
+          references: [
+            { type: 'description', uri: 'https://nvd.nist.gov/vuln/detail/CVE-2021-30120' },
+            { type: 'description',
+              uri: 'https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021' }
+          ],
+          authors: ['adambakalar']
+        }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130120 < BaseCheck
+      def self.check_metadata
+        {
+          allowed_types: ['Uri']
+        }
+      end
+
+      # return truthy value to create an issue
+      def check
+        # get enriched entity
+        require_enrichment
+
+        # get version for product
+        version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+        return false unless version
+
+        # if its vulnerable, return some proof
+        if compare_versions_by_operator(version, '9.5.7', '<')
+          return "Asset is vulnerable based on fingerprinted version #{version}"
+        end
+      end
+    end
+  end
+end
diff --git a/lib/checks/kaseya_cve_2021_30121.rb b/lib/checks/kaseya_cve_2021_30121.rb
@@ -0,0 +1,54 @@
+module Intrigue
+  module Issue
+    class KaseyaCve202130121 < BaseIssue
+      def self.generate(instance_details = {})
+        {
+          added: '2021-07-09',
+          name: 'kaseya_cve_2021_30121',
+          pretty_name: 'Kaseya VSA LFI (CVE-2021-30121)',
+          identifiers: [
+            { type: 'CVE', name: 'CVE-2021-30121' }
+          ],
+          severity: 1,
+          category: 'vulnerability',
+          status: 'potential',
+          description: 'Local file inclusion exists in Kaseya VSA before 9.5.6.',
+          affected_software: [
+            { vendor: 'Kaseya', product: 'Virtual System Administrator' }
+          ],
+          references: [
+            { type: 'description', uri: 'https://nvd.nist.gov/vuln/detail/CVE-2021-30121' },
+            { type: 'description',
+              uri: 'https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021' }
+          ],
+          authors: ['adambakalar']
+        }.merge!(instance_details)
+      end
+    end
+  end
+
+  module Task
+    class KaseyaCve202130121 < BaseCheck
+      def self.check_metadata
+        {
+          allowed_types: ['Uri']
+        }
+      end
+
+      # return truthy value to create an issue
+      def check
+        # get enriched entity
+        require_enrichment
+
+        # get version for product
+        version = get_version_for_vendor_product(@entity, 'Kaseya', 'Virtual System Administrator')
+        return false unless version
+
+        # if its vulnerable, return some proof
+        if compare_versions_by_operator(version, '9.5.6', '<')
+          return "Asset is vulnerable based on fingerprinted version #{version}"
+        end
+      end
+    end
+  end
+end