CVE-2018-11138
📋 TL;DR
CVE-2018-11138 is a critical remote code execution vulnerability in Quest KACE System Management Appliance. It allows unauthenticated attackers to execute arbitrary commands on affected systems by exploiting an insecure script. Organizations using Quest KACE System Management Appliance 8.0.318 are affected.
💻 Affected Systems
- Quest KACE System Management Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement within the network, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthenticated attackers gaining shell access to install malware, exfiltrate sensitive data, or pivot to other systems in the network.
If Mitigated
Limited impact if network segmentation isolates the appliance and strict access controls prevent exploitation attempts.
🎯 Exploit Status
Public exploit code is available on Exploit-DB (44950), making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version 8.0.319 or later
Vendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/293336
Restart Required: Yes
Instructions:
1. Log into the KACE appliance admin interface. 2. Navigate to Settings > Appliance > Updates. 3. Apply the latest available update (8.0.319+). 4. Restart the appliance as prompted.
🔧 Temporary Workarounds
Block access to vulnerable script
linuxUse web server configuration or firewall rules to block access to '/common/download_agent_installer.php'
# Apache: RewriteRule ^/common/download_agent_installer\.php$ - [F]
# Nginx: location ~ /common/download_agent_installer\.php$ { deny all; }
Network segmentation
linuxIsolate the KACE appliance from untrusted networks and restrict access to authorized IPs only
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to the appliance using firewall rules to allow only trusted IP addresses
- Monitor for exploitation attempts by reviewing web server logs for access to '/common/download_agent_installer.php'
🔍 How to Verify
Check if Vulnerable:
Check if the file '/common/download_agent_installer.php' exists and is accessible without authentication via curl: curl -k https://<appliance-ip>/common/download_agent_installer.phpCheck Version:
ssh admin@<appliance-ip> 'cat /etc/version' or check via web interface at https://<appliance-ip>/adminuiVerify Fix Applied:
After patching, verify the script returns an authentication error or 404 when accessed anonymously📡 Detection & Monitoring
Log Indicators:
- Web server logs showing GET/POST requests to '/common/download_agent_installer.php' with command injection parameters
- System logs showing unexpected process execution or shell spawns
Network Indicators:
- HTTP requests to the vulnerable endpoint with suspicious parameters like 'cmd=', 'exec=', or shell metacharacters
SIEM Query:
source="web_access.log" AND uri="/common/download_agent_installer.php" AND (param="cmd" OR param="exec" OR param="system")🔗 References
- https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
- https://www.exploit-db.com/exploits/44950/
- https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
- https://www.exploit-db.com/exploits/44950/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11138
