Major Vulnerability Discovered in KACE

The Cybersecurity and Infrastructure Security Agency has recently published an advisory regarding an administrator interface vulnerability for the Quest KACE Systems Management Appliance (ICS Advisory 19-183-02)

Affecting the KACE SMA (Systems Management Appliance) versions 8.0, 8.1, and 9.0, the vulnerability allows “unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface”, says the agency. Quest has already recommended that all users upgrade to the latest Version 9.1 or newer, so at this time, anyone remaining on the older versions will not be supported and will also remain open to the vulnerability.

This isn’t the first time that the KACE SMA has been recognized as insecure. Just last year, researcher Kapil Khot discovered several blind SQL injection flaws, tracked as CVE-2018-0504, that allow a remote but authenticated attacker with “User Console Only” privileges to obtain data from the application’s database, including sensitive information.

“Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks,” CERT/CC (CERT Coordination Center at Carnegie Mellon University) said in its advisory. “The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.”

Experience a Better Approach to Systems Management

Use Syxsense to detect and then remediate critical updates. While you could run a comprehensive scan of all devices on a network, you can also run a targeted scan seeking a specific software. Easily see which devices are running which version of an application that might be at risk.

From there, it’s simple to set up a task that targets every device that need the update.