http://www.theregister.co.uk/2015/09/24/brit_infosec_bod_finds_kaseya_master_admin_remote_code_exec_holes/
By Darren Pauli
The Register
24 Sep 2015
Three remote code execution and privilege escalation flaws have been
reported in the Kaseya IT management software which when chained enable
unauthenticated attackers to gain 'master admin' status.
The remote upload holes reported by British Agile Information Security bod
Pedro Ribeiro and since patched allow attackers to upload arbitrary code
to Kaseya Virtual System Administrator.
Any net crim can exploit words one vulnerability (CVE-2015-6922) to upload
and execute arbitrary code on the server under the context of IIS.
That flaw rated a severity score of 7.5 exists within the uploader.aspx
page which fails to enforce authentication and does not restrict
destination file paths.
A privilege escalation flaw in the same feature and also rated 7.5 uin
severity will make attackers 'master admins'.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
