cbcvebase.
CVE-2017-18362
published 2019-02-05

CVE-2017-18362: ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
86.71%
99.7th percentile
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
connectwisemanageditsync<= 2017

Detection & IOCsextracted from sources · hover to see the quote

path/KaseyaCwWebService/ManagedIT.asmx
urlhttps://mykaseyaserver.com/kaseyacwwebservice/managedit.asmx
filenameManagedIT.asmx
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect exploitation attempts by matching HTTP POST requests to the KaseyaCwWebService/ManagedIT.asmx URI containing a single-quote byte (0x27) in the request body, followed by SQL keywords CREATE, SELECT, INSERT, UPDATE, or EXEC.
  • Check for the presence of the vulnerable endpoint by issuing a GET request to /KaseyaCwWebService/ManagedIT.asmx and looking for the strings 'ManagedIT.asmx?op=' or 'ExecuteSQLQuery' in the response body with HTTP 200 status.
  • Ransomware payload deployed in active exploitation was GandCrab; hunt for GandCrab indicators on endpoints managed by any VSA server exposed to this vulnerability.
  • Check Add or Remove Programs on the VSA server for 'ConnectWise MSP Kaseya Web Service' as an indicator of the vulnerable integration being installed.
  • Audit VSA server for suspicious/malicious footholds and newly created administrative accounts, as the SQL injection allows attackers to create admin users and change passwords without authentication.
  • ·Vulnerability only affects on-premises Kaseya VSA servers with the ConnectWise ManagedITSync integration installed; cloud-hosted VSA instances are not affected.
  • ·The impacted product is end-of-life; CISA requires disconnection if still in use rather than patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.