CVE-2018-11142 in KACE System Management Appliance
Summary
by MITRE
The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/10/2020
The Quest KACE System Management Appliance version 8.0.318 contains a critical access control vulnerability in its web interface that stems from improper HTTP header validation. The affected scripts systemui/settings_network.php and systemui/settings_patching.php are designed to be accessible only from localhost as a security measure to prevent unauthorized remote access to sensitive administrative functions. However, this protection mechanism can be circumvented through manipulation of HTTP headers, specifically the Host and X-Forwarded-For fields in POST requests. This vulnerability represents a classic example of insecure direct object reference and improper access control where the application fails to properly validate the request source. The flaw allows an attacker to bypass the intended localhost restriction and gain unauthorized access to critical system configuration functions.
The technical exploitation of this vulnerability requires an attacker to craft a malicious HTTP POST request that modifies the Host header to appear as if the request is originating from localhost, while also setting the X-Forwarded-For header to match the local system's IP address. This technique leverages the common practice of web applications using these headers for load balancing and proxy configurations, but fails to properly validate their authenticity. The vulnerability can be classified under CWE-285, which deals with improper authorization in access control mechanisms, and aligns with ATT&CK technique T1078.101 for valid accounts and T1078.004 for cloud accounts where the attacker can leverage misconfigured access controls to escalate privileges. The bypass occurs because the application does not implement proper source validation beyond the initial header checks, allowing the malicious request to be processed as if it originated from the local system.
The operational impact of this vulnerability is severe as it grants anonymous users access to critical system management functions that should only be available to authorized administrators. These functions include network configuration changes and patch management operations that can fundamentally alter the appliance's behavior and security posture. An attacker could potentially reconfigure network settings to redirect traffic, disable security features, or deploy malicious patches that compromise the entire system. The vulnerability affects the integrity and availability of the appliance's configuration, potentially leading to complete system compromise. Given that this appliance serves as a central management platform for enterprise environments, the consequences extend beyond the immediate device to potentially affect multiple systems managed by the appliance. The vulnerability also represents a significant risk to the confidentiality of system data as attackers could access sensitive configuration information.
Organizations should implement immediate mitigations including network-level restrictions to prevent external access to the affected scripts, proper HTTP header validation to ensure request authenticity, and regular security audits of web application access controls. The appliance should be configured to properly validate the source of all requests and implement additional layers of authentication beyond the simple localhost restriction. Network segmentation should be enforced to limit access to the appliance's management interfaces, and all HTTP headers should be validated against known good values rather than relying on client-provided information. The system should also be updated to a patched version of the Quest KACE appliance that addresses this vulnerability through proper access control implementation. Security monitoring should be enhanced to detect suspicious header modifications and unauthorized access attempts to administrative functions, while regular penetration testing should be conducted to identify similar access control flaws in other system components.