Security Bulletin

DATE: July 28, 2021 

AFFECTED PRODUCTS: 

Unitrends Recovery Series and MAX hardware appliances 

Unitrends Backup virtual appliances 

Kaseya Unified Backup 

NOTE: Unitrends/Kaseya EndPoint Backup (aka Cloud Backup, Direct to Cloud Backup), KCB, BUDR, KDB and Spanning Backup products ARE NOT affected 

Overview: 

As part of a continuous security focus across our products, Unitrends works with third party security firms to ensure the highest level of protection for our customers. 

Earlier this month, potential security vulnerabilities were discovered, and we immediately began working on a maintenance release.  Howeverdue to an unfortunate procedural error by the security researcher, the names of the potential vulnerabilities were prematurely posted and picked up by an industry publication.   

There has been NO KNOWN EXPLOIT of this vulnerability being used, no technical details disclosed, and no proof of concept disclosed.   

MITIGATION 

  • For machines with Unitrends agents that are exposed to the internet configure firewall settings on the machines to only allow inbound TCP on port 1743-1749 from <Unitrends Appliance IP address> 

 

  • For Unitrends Appliances, we reiterate our existing mandate from our implementation guide that the users should never expose the appliance Web UI or SSH connections to open external ports.   Ensure you are following our existing Unitrends Firewall Requirements: https://support.unitrends.com/hc/en-us/articles/360013264518 

PATCH 

Unitrends is working on a patch to resolve these issues.  We expect fixes to be released in our August update. 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Contact us