Ask the Community
Groups
CVE-2017-12410: TOCTOU Flaw in the VSA's Agent - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="issue">Issue</h3> <p>A Time of Check & Time of Use (TOCTOU) flaw exists within the VSA Agent on the endpoint where a user can take advantage of a race condition, which could result in executing code with system privileges. The likelihood of practical exploit is low. This flaw cannot be executed remotely and requires that an attacker has already compromised the underlying machine gaining local control of the endpoint with the ability to execute their own code. </p> <h3 data-id="resolution">Resolution</h3> <p>Step 1 - Update your VSA to the latest patch following the steps highlighted <a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fhelp.kaseya.com%2Fwebhelp%2FEN%2FRN%2Findex.asp%2337895.htm" rel="noopener nofollow">here</a>.</p> <blockquote class="blockquote"> <div class="blockquote-content"> <div dir="ltr"> <div> <ul><li>R9.3 or earlier – Upgrade to R9.4.0.37 or R9.5.</li> <li>R9.4 – Install patch 9.4.0.37 or higher.</li> <li>R9.5 – Not affected.</li> </ul></div> </div> </div> </blockquote> <p><strong>Note: </strong>For Kaseya SaaS customers, no action is required; our SaaS instances are already on R9.5.</p> <p>After the patch, a new subdirectory is created in the Agent Working Directory called “System” which only the SYSTEM context and Administrators group have Modify and Write permissions to. Standard users have Read and Execute only. All Kaseya binaries that are executed on a recurring basis from the working directory will now be executed from the System folder.</p> <p>Step 2 – ensure that custom Agent Procedures execute files from a secure location.</p> <p>Update any custom Agent Procedures that execute files under System context, or as an elevated credential, from the working directory or other non-secure folder, to use the System folder. If a variable is used to define the file path, it can be changed to use the System folder by changing the value type in getVariable() step from “Agent Working Directory” to “Secure Agent Working Directory”.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/HEVQXEC8GZBN/toctou.png" alt="TOCTOU.png" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Applies to:</strong> VSA Version <a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fhelp.kaseya.com%2Fwebhelp%2FEN%2FRN%2Findex.asp%2340254.htm" rel="noopener nofollow">9.4.0.36</a> and earlier.</p> </article> </main>