CVE-2021-43035 in Unitrends Backup Appliance
Summary
by MITRE • 12/06/2021
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/09/2021
The vulnerability CVE-2021-43035 represents a critical security flaw in the Kaseya Unitrends Backup Appliance software affecting versions prior to 10.5.5. This issue stems from improper input validation within the application's database interaction components, creating a pathway for attackers to inject malicious SQL commands directly into the system's backend postgres database. The vulnerability manifests as two distinct SQL injection vectors that can be exploited without requiring authentication credentials, making it particularly dangerous as it eliminates the need for initial access privileges. The flaw specifically targets the application's handling of user-supplied input that is subsequently processed by the postgres database engine, allowing attackers to execute arbitrary SQL commands with elevated privileges.
The technical exploitation of this vulnerability occurs through the manipulation of input parameters that are directly passed to postgres database queries without proper sanitization or parameterization. When an attacker crafts malicious input that bypasses the application's validation mechanisms, the system processes these inputs as part of the SQL command execution, effectively allowing the attacker to inject additional SQL statements. This injection occurs at the database level where the postgres superuser account is utilized, providing attackers with elevated privileges that extend beyond normal user permissions. The postgres superuser account possesses extensive capabilities including database schema manipulation, data retrieval, and system-level operations that can be leveraged for comprehensive system compromise.
The operational impact of this vulnerability is severe and far-reaching, as it enables full remote code execution capabilities against the affected appliance. Attackers who successfully exploit this vulnerability gain complete control over the postgres database account, which typically has extensive access to system resources and data stored within the backup appliance. This level of access allows for data exfiltration, system modification, and potential lateral movement within network environments where the appliance operates. The vulnerability's unauthenticated nature means that any external party can potentially exploit it, eliminating the need for credentials or prior system access, which significantly increases the attack surface and risk exposure for organizations using affected versions of the software.
Organizations should immediately upgrade to Kaseya Unitrends Backup Appliance version 10.5.5 or later to remediate this vulnerability. The patch addresses the input validation issues by implementing proper parameterization of database queries and strengthening input sanitization mechanisms. Security teams should also implement network segmentation to limit access to backup appliances and monitor for suspicious database activity that might indicate exploitation attempts. Additionally, organizations should conduct comprehensive vulnerability assessments to identify any potential compromise of systems that may have been exposed to this vulnerability prior to remediation. The vulnerability aligns with CWE-89 which classifies SQL injection flaws, and represents a significant risk vector in the ATT&CK framework under the Execution and Privilege Escalation tactics, demonstrating how database-level vulnerabilities can lead to full system compromise.