CVE-2017-12567
📋 TL;DR
This SQL injection vulnerability in Quest KACE management appliances allows attackers to execute arbitrary SQL commands through the web interface. It affects organizations using KACE Asset Management Appliance, Systems Management Appliance, or K1000 as a Service. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Quest KACE Asset Management Appliance
- Quest KACE Systems Management Appliance
- Quest K1000 as a Service
📦 What is this software?
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, data exfiltration, lateral movement to other systems, and persistent backdoor installation
Likely Case
Database compromise leading to credential theft, sensitive data exposure, and potential privilege escalation
If Mitigated
Limited impact with proper network segmentation, WAF protection, and minimal database privileges
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Asset Management Appliance 8.0.317; Systems Management Appliance 8.0.317; K1000 as a Service 8.0.317
Vendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/231874
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download patch from Quest support portal. 3. Apply patch via KACE administrative interface. 4. Restart appliance services. 5. Verify patch installation.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF with SQL injection rules to block exploitation attempts
Network Segmentation
allRestrict access to KACE appliances to authorized management networks only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the KACE web interface
- Enable detailed SQL query logging and monitor for suspicious database activity
🔍 How to Verify
Check if Vulnerable:
Check current version via KACE administrative interface under Help > AboutCheck Version:
Not applicable - use web interfaceVerify Fix Applied:
Verify version is 8.0.317 or later and test SQL injection vectors are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL-like payloads
- Administrative actions from unexpected IP addresses
Network Indicators:
- SQL keywords in HTTP POST requests to KACE endpoints
- Unusual database connection patterns
SIEM Query:
source="kace_web_logs" AND (http_request CONTAINS "UNION" OR http_request CONTAINS "SELECT" OR http_request CONTAINS "INSERT" OR http_request CONTAINS "DELETE")