Several vulnerabilities have been found and patched in the Kace K1000 systems management appliance from Quest.
The impacted appliance allows enterprises to manage their network-connected devices, including to inventory hardware and software, patch applications and operating systems, and ensure software license compliance. The product was at one point offered by Dell, which acquired Quest in 2012 and sold it to Francisco Partners and Elliott Management Corporation in 2016.
According to an advisory published by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the Kace K1000 appliance is affected by several vulnerabilities and configuration issues found by researcher Kapil Khot.
Khot discovered several blind SQL injection flaws, collectively tracked as CVE-2018-5404, that allow a remote, authenticated attacker with “User Console Only” privileges to obtain data from the application’s database, including sensitive information.
An attacker with the same privileges can also inject arbitrary JavaScript code into the tickets page (CVE-2018-5405). This can allow the attacker to hijack legitimate sessions, including the one of an administrator.
“Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks,” CERT/CC said in its advisory. “The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.”
The researcher also found that a remote and unauthenticated attacker could conduct actions such as adding a new admin account or changing the appliance’s settings by exploiting a misconfiguration related to the Cross-Origin Resource Sharing (CORS) mechanism. This issue is tracked as CVE-2018-5406.
The issues have been fixed with the release of a patch, SEC2018_20180410, which is included in version 9.0.270 and later, CERT/CC said. Quest customers can obtain additional information from the vendor’s advisory (registration required for full details).
Last year, Core Security reported discovering a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest, including Kace appliances. The vendor released patches at the time, but threatened to take legal action against Core if it disclosed too many details.
Related: Cisco Warns of Zero-Day Vulnerability in Security Appliances
Related: Cisco Patches Privilege Escalation Vulnerability in Adaptive Security Appliance

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
