CVE-2021-43035: 
Kaseya Unitrends Agent vulnerability analysis and mitigation

An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account. The vulnerability was disclosed in December 2021 and received a CVSS score of 9.8 CRITICAL (NVD, Vendor Advisory).

The vulnerability exists in two components: the /grid/config/config.php script and the /cgi-bin/vaultServer HTTP endpoint. In the config.php script, arbitrary SQL statements can be injected into the host parameter, while in vaultServer, injection is possible via the name parameter when calling replication-state function. Both vulnerabilities allow SQL queries to be executed under the postgres superuser account, which can be leveraged for remote code execution by creating malicious user defined functions (UDFs) (CyberOne Blog, CyberOne Blog Part 2).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries with superuser privileges, potentially leading to full system compromise. Since the Unitrends Backup appliance holds a privileged position in the network, a successful exploit could extend to all computers configured as backup clients (CyberOne Blog).

Users should immediately update to version 10.5.5 or later of the Unitrends software and all agents to the latest version. It is strongly recommended not to expose the client ports directly to the Internet or internally. Organizations should follow the vendor's guidance for secure deployment (Vendor Advisory).