Audit Compliance Implications

Many compliance standards can be ambiguous as to shared password policies, and some don’t actually provide direct requirements to meet compliance. Certain audit standards may have requirements that cannot be met by this method of granting access. The following references show varying points that may apply during an audit. The underline and italics are mine.

• PCI-DSS 3.0 Requirement 2.2 states, “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: (a) Center for Internet Security (CIS), (b) International Organization for Standardization (ISO), (c) SysAdmin Audit Network Security (SANS) Institute, (d) National Institute of Standards Technology (NIST).” https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI_DSS-v3_2.pdf
• CIS Control 4 states in part, “The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, or identical to passwords used on less critical systems, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges.” https://www.cisecurity.org/controls/controlled-use-of-administrative-privileges/
• NIST 800-53 IA-5(6) states, “The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.” https://nvd.nist.gov/800-53/Rev4/control/IA-5
• NIST 800-53 IA-5(8) states, “The organization implements safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.” https://nvd.nist.gov/800-53/Rev4/control/IA-5

Despite some audit standards being less than specific than others, most security professionals would agree that Kaseya’s default approach to granting LAN Cache access would not be appropriate. Allowing the Kaseya VSA to create and manage the accounts used to access the LAN Cache across many systems may end up with an auditor failing an organization based on the standards mentioned above.

What can the network defenders do?

An organization should always know the implications a certain software or feature may have on the risk profile of any given system (or set of systems) prior to deployment. Additionally, the existing periodic entitlement reviews should not be limited to accounts in the domain. New local accounts and group memberships can have serious implications to the risk of environment that may not be readily apparent. Lastly, if an account looks suspicious, don’t rest until you are confident the account does not pose risk above the risk appetite of the organization.

Administrators should take the following action to limit the potential damage caused by the default FSAdminxxxxxxxxx accounts:

1. Remove any Domain Controllers as clients of the LAN Cache and remove all FSAdminxxxxxxxxx accounts from the domain.
2. Deploy a new LAN Cache using domain credentials following least privilege principles
   
   • Please note that I have not personally reviewed the implications of using this approach, but this is the only other option for using the LAN Cache feature according to Kaseya’s documentation. I also do not know what permissions may be truly required. I don’t recommend using the “Domain Admins” group for granting access rights.
3. Ensure that local FSAdminxxxxxxxxx accounts are removed from all workstations and servers in the environment. It’s unclear if the VSA will do this automatically.
4. Kaseya also offers peer-to-peer file sharing as an alternative to the LAN Cache, and their security team provided this as the current recommended solution. I did not perform any research surrounding this technology or implementation, and I cannot speak to the effectiveness of security controls. It does appear that the new technology has moved away from using local accounts and SMB in favor of PKI and HTTPS though. https://helpdesk.kaseya.com/hc/en-gb/articles/229039628-Use-of-digital-certificates-to-secure-Endpoint-communication-channel

Disclosure Timeline

6/20/2019 – Initial discovery of FSAdminxxxxxxxxx accounts and research into how they are used

6/21/2019 – Performed PoC exploitation using off-the-shelf toolsets. Crafted an email and sent to Kaseya security team

7/12/2019 – Sent an email to Kaseya security requesting a status

7/16/2019 – Received first response from Kaseya and I responded with clarifying information

7/18/2019 – Received second response from Kaseya that provided a recommendation to use the domain account method rather than the default method

7/24/2019 – Conference call with Kaseya senior executive team where they promised to investigate and demonstrated commitment to take the issue seriously

8/1/2019 – Submitted CVE request to Mitre and CVE-2019-14510 received (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14510)

8/22/2019 – Conference call with Kaseya security and software architecture teams clarifying the issue further

9/6/2019 – Received notice that Kaseya would offer specific guidance to their customers regarding this issue

10/9/2019 – Public Disclosure