Serious Vulnerabilities Found in Kace K1000 Appliance

Several vulnerabilities have been found and patched in the Kace K1000 systems management appliance from Quest.

The impacted appliance allows enterprises to manage their network-connected devices, including to inventory hardware and software, patch applications and operating systems, and ensure software license compliance. The product was at one point offered by Dell, which acquired Quest in 2012 and sold it to Francisco Partners and Elliott Management Corporation in 2016.

According to an advisory published by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the Kace K1000 appliance is affected by several vulnerabilities and configuration issues found by researcher Kapil Khot.

Khot discovered several blind SQL injection flaws, collectively tracked as CVE-2018-5404, that allow a remote, authenticated attacker with “User Console Only” privileges to obtain data from the application’s database, including sensitive information.

An attacker with the same privileges can also inject arbitrary JavaScript code into the tickets page (CVE-2018-5405). This can allow the attacker to hijack legitimate sessions, including the one of an administrator.

“Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks,” CERT/CC said in its advisory. “The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.”

The researcher also found that a remote and unauthenticated attacker could conduct actions such as adding a new admin account or changing the appliance’s settings by exploiting a misconfiguration related to the Cross-Origin Resource Sharing (CORS) mechanism. This issue is tracked as CVE-2018-5406.

The issues have been fixed with the release of a patch, SEC2018_20180410, which is included in version 9.0.270 and later, CERT/CC said. Quest customers can obtain additional information from the vendor’s advisory (registration required for full details).

Last year, Core Security reported discovering a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest, including Kace appliances. The vendor released patches at the time, but threatened to take legal action against Core if it disclosed too many details.

Related: Cisco Warns of Zero-Day Vulnerability in Security Appliances

Related: Cisco Patches Privilege Escalation Vulnerability in Adaptive Security Appliance