U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution.
The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021.
The IT infrastructure management solution provider has addressed the issues in server software version 10.5.5-2 released on August 12, DIVD said. An as-yet-undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched, but the company has published firewall rules that can be applied to filter traffic to and from the client and mitigate any risk associated with the flaw. As an additional precaution, it’s recommended not to leave the servers accessible over the internet.
Although specifics related to the vulnerabilities are sparse, the shortcomings concern an authenticated remote code execution vulnerability as well as a privilege escalation flaw from read-only user to admin on Unitrends servers, both of which hinge on the possibility that an attacker…