CVE-2018-11136
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands through the unsanitized 'orgID' parameter in Quest KACE System Management Appliance. Successful exploitation could lead to data theft, system compromise, or denial of service. Organizations using Quest KACE System Management Appliance 8.0.318 are affected.
💻 Affected Systems
- Quest KACE System Management Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the KACE appliance, data exfiltration of all managed systems, and lateral movement to connected networks.
Likely Case
Database information disclosure, privilege escalation, and potential control over managed endpoints.
If Mitigated
Limited impact with proper network segmentation and database permissions, though SQL injection remains possible.
🎯 Exploit Status
Time-based blind SQL injection requires authentication but is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.319 or later
Vendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/335982/quest-response-to-cve-2018-11136-sql-injection-vulnerability-in-kace-sma
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download latest patch from Quest support portal. 3. Apply patch via KACE admin interface. 4. Restart appliance services.
🔧 Temporary Workarounds
Web Application Firewall
allDeploy WAF with SQL injection rules to block malicious requests.
Access Restriction
linuxRestrict access to /common/download_agent_installer.php endpoint via network controls.
iptables -A INPUT -p tcp --dport 443 -m string --string "/common/download_agent_installer.php" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate KACE appliance from critical systems.
- Enable detailed SQL query logging and monitor for unusual database activity patterns.
🔍 How to Verify
Check if Vulnerable:
Check if version is 8.0.318 via KACE admin interface or by examining /etc/issue file on appliance.Check Version:
cat /etc/issue | grep KACEVerify Fix Applied:
Confirm version is 8.0.319 or higher and test SQL injection payloads return proper error handling.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by SQL error patterns
Network Indicators:
- HTTP POST requests to /common/download_agent_installer.php with SQL syntax in parameters
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND url="/common/download_agent_installer.php" AND (param="orgID" AND value MATCHES "(?i)(SELECT|UNION|INSERT|DELETE|UPDATE|DROP|OR|AND)")