DATE: July 28, 2021
Unitrends Recovery Series and MAX hardware appliances
Unitrends Backup virtual appliances
Kaseya Unified Backup
NOTE: Unitrends/Kaseya EndPoint Backup (aka Cloud Backup, Direct to Cloud Backup), KCB, BUDR, KDB and Spanning Backup products ARE NOT affected
As part of a continuous security focus across our products, Unitrends works with third party security firms to ensure the highest level of protection for our customers.
Earlier this month, potential security vulnerabilities were discovered, and we immediately began working on a maintenance release. However, due to an unfortunate procedural error by the security researcher, the names of the potential vulnerabilities were prematurely posted and picked up by an industry publication.
There has been NO KNOWN EXPLOIT of this vulnerability being used, no technical details disclosed, and no proof of concept disclosed.
- For machines with Unitrends agents that are exposed to the internet configure firewall settings on the machines to only allow inbound TCP on port 1743-1749 from <Unitrends Appliance IP address>
- Example steps are outlined in the following KB: https://support.unitrends.com/hc/en-us/articles/4404684084369-RCE-KB
- For Unitrends Appliances, we reiterate our existing mandate from our implementation guide that the users should never expose the appliance Web UI or SSH connections to open external ports. Ensure you are following our existing Unitrends Firewall Requirements: https://support.unitrends.com/hc/en-us/articles/360013264518
Unitrends is working on a patch to resolve these issues. We expect fixes to be released in our August update.