fyr.io

Kaseya Says Yes

Posted on

I just read the truesec analysis of the Kaseya VSA 0-day that hit the news earlier in the month. I love reading articles like this, but this one in particular I had to highlight.

The authentication... "bypass"... utilised as a first step: D'oh! How did something like that even get into production? The linked article has more details but essentially, if all authentication checks fail (when querying this particular file, not generally) instead of saying "Nope, you are not authenticated!" they instead say "Oh, you don't supply a password that we can verify? Ok, let's give you authenticated status anywayđź‘Ť".

Logic failures like this generally don't happen in the ideal world because they're blindingly obvious, so allow me to speculate for the rest of this paragraph. I can only assume that a developer temporarily set this up to diagnose a bug or test a feature and simply forgot to flip it back to "fail by default". This is why peer review is important, though the rush to get things out to production works against this. It's too easy to miss this kind of thing in the modern world. It shouldn't be, but it is. There should be no blame here on any individual "- I suspect a process/procedure needs to be looked at, or a team needs to be better resourced.