CVE-2017-18362
published 2019-02-05CVE-2017-18362: ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
86.71%
99.7th percentile
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | manageditsync | <= 2017 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect exploitation attempts by matching HTTP POST requests to the KaseyaCwWebService/ManagedIT.asmx URI containing a single-quote byte (0x27) in the request body, followed by SQL keywords CREATE, SELECT, INSERT, UPDATE, or EXEC.
- →Check for the presence of the vulnerable endpoint by issuing a GET request to /KaseyaCwWebService/ManagedIT.asmx and looking for the strings 'ManagedIT.asmx?op=' or 'ExecuteSQLQuery' in the response body with HTTP 200 status.
- →Ransomware payload deployed in active exploitation was GandCrab; hunt for GandCrab indicators on endpoints managed by any VSA server exposed to this vulnerability. ↗
- →Check Add or Remove Programs on the VSA server for 'ConnectWise MSP Kaseya Web Service' as an indicator of the vulnerable integration being installed. ↗
- →Audit VSA server for suspicious/malicious footholds and newly created administrative accounts, as the SQL injection allows attackers to create admin users and change passwords without authentication. ↗
- ·Vulnerability only affects on-premises Kaseya VSA servers with the ConnectWise ManagedITSync integration installed; cloud-hosted VSA instances are not affected. ↗
- ·The impacted product is end-of-life; CISA requires disconnection if still in use rather than patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Kaseya VSA SQL Injection Vulnerability
cisa·2022-05-24·CVSS 9.8
CVE-2017-18362 [CRITICAL] CWE-89 Kaseya VSA SQL Injection Vulnerability
Vulnerability: Kaseya VSA SQL Injection Vulnerability
Affected: Kaseya Virtual System/Server Administrator (VSA)
ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-18362
Remediation Due Date: 2022-06-14
GHSA
GHSA-w35f-w5cg-jqhh: ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to th
ghsa_unreviewed·2022-05-14
CVE-2017-18362 [CRITICAL] CWE-89 GHSA-w35f-w5cg-jqhh: ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to th
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
VulnCheck
Kaseya VSA SQL Injection Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-18362 [CRITICAL] CWE-89 Kaseya VSA SQL Injection Vulnerability
Kaseya VSA SQL Injection Vulnerability
ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.
Affected: Kaseya Virtual System/Server Administrator (VSA)
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.huntresslabs.com/cve-2017-18362-arbitrary-sql-injection-in-mangeditsync-integration-ba142ff24f4d; https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.fortiguard.com/threat-signal-report/
Suricata
ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)
suricata·2021-11-17·CVSS 9.8
CVE-2017-18362 [CRITICAL] ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)
ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Nuclei
Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-18362 [CRITICAL] Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.In February 2019, attackers actively exploited this vulnerability in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server.
Template:
id: CVE-2017-18362
info:
name: Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
author: pussycat0x
severity: critical
description: |
ConnectWise ManagedITSync integration throug
http://archive.today/rdkeQhttps://github.com/kbni/owlkyhttps://webcache.googleusercontent.com/search?q=cache:ZEo8ZRF_iEIJ:https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability+http://archive.today/rdkeQhttps://github.com/kbni/owlkyhttps://webcache.googleusercontent.com/search?q=cache:ZEo8ZRF_iEIJ:https://helpdesk.kaseya.com/hc/en-gb/articles/360022495572-Connectwise-API-Vulnerability+https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18362
2019-02-05
Published
2022-05-24
Added to CISA KEV
Exploited in the wild