CVE-2018-5406
published 2019-06-03CVE-2018-5406: The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS)…
PriorityP268high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
12.21%
95.7th percentile
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows a remote attacker to exploit the misconfigured Cross-Origin Resource Sharing (CORS) mechanism. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. A malicious internal user could also gain administrator privileges of this appliance and use it to visit a malicious link that exploits this vulnerability. This could cause the application to perform sensitive actions such as adding a new administrator account or changing the appliance’s settings. An unauthenticated, remote attacker could add an administrator-level account or change the appliance's settings.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | kace_systems_management_appliance_firmware | < 9.0.270 | 9.0.270 |
| quest_kace | k1000_appliance | >= 9.0.270 < 9.0.270 | 9.0.270 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for CORS misconfiguration abuse: look for cross-origin POST requests to the KACE K1000 appliance admin endpoints originating from unexpected external origins, which may indicate CSRF exploitation via CVE-2018-5406. ↗
- →Alert on unexpected new administrator account creation or appliance settings changes on KACE K1000 appliances running versions prior to 9.0.270, as these are the sensitive actions enabled by this CORS/CSRF vulnerability. ↗
- →Detect stored XSS exploitation attempts in the KACE SMA ticket Summary field — any script tags or JavaScript alert/cookie-exfiltration payloads submitted to ticket creation endpoints should be flagged. ↗
- →Any user including administrator visiting a ticket page on KACE SMA may execute injected scripts; monitor for anomalous JavaScript execution or cookie access events tied to the ticket viewer page. ↗
- ·The CORS misconfiguration (CVE-2018-5406) was confirmed fixed in version 9.0.270; however, a separate vulnerability (#2, stored XSS) was noted as still present even in the patched 9.0.270 release. ↗
- ·The vendor's full patch addressing all vulnerabilities including the remaining stored XSS was not scheduled until May 2019; organizations should verify their KACE K1000/SMA version is at or above 9.0.270 AND confirm the XSS fix is included. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.htmlhttps://support.quest.com/kb/288310/cert-coordination-center-report-updatehttps://www.kb.cert.org/vuls/id/877837/http://packetstormsecurity.com/files/153150/Dell-KACE-System-Management-Appliance-SMA-XSS-SQL-Injection.htmlhttps://support.quest.com/kb/288310/cert-coordination-center-report-updatehttps://www.kb.cert.org/vuls/id/877837/
2019-06-03
Published