Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Tens of Vulnerabilities Found in Quest Appliances

Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.

Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.

More than 50 security holes have been found in Quest’s DR series disk backup appliances. The most serious of the flaws, according to Core, allows a remote and unauthenticated attacker to execute arbitrary system commands via the “password” parameter of the login process.

Experts also identified 45 other command injection issues in the product, but these require authentication. Core also claims to have uncovered six privilege escalation vulnerabilities that allow an attacker to gain root permissions.

The weaknesses impact Quest DR Series Disk Backup software version 4.0.3 and possibly earlier, and they have been patched with the release of version 4.0.3.1.

A separate advisory from Core describes 11 flaws affecting Quest’s KACE Systems Management Appliance. Researchers found that the product’s web console is affected by three command injection vulnerabilities, including one that can be exploited by an unauthenticated attacker.

The list of security holes found in this product also includes privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal issues.

The vulnerabilities have been patched with a hotfix that is available for Quest KACE System Management Appliance versions 7.0, 7.1, 7.2, 8.0, and 8.1.

During the disclosure of the KACE flaws, Quest told Core that its work is in breach of the vendor’s license agreement and asked the security firm not to make its findings public to avoid legal action.

Quest, whose products are reportedly used by 130,000 companies, does have a responsible disclosure policy, but it states that reports of any vulnerability are considered the company’s confidential and proprietary information and cannot be disclosed to third parties.

Core has only published limited information about each of the vulnerabilities, but the company says it’s disappointed by Quest’s posture on disclosure.

“CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk,” Core said.

Related: Dozen Flaws Found in Trend Micro Email Encryption Gateway

Related: Kaspersky Patches Vulnerabilities in Secure Mail Gateway

Related: Remotely Exploitable Vulnerability Discovered in MikroTik’s RouterOS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.