CVE-2018-11140
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands on Quest KACE System Management Appliances through unsanitized input in the 'reportID' parameter. Organizations using the affected version of this appliance are at risk of database compromise and potential system takeover.
💻 Affected Systems
- Quest KACE System Management Appliance
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise leading to credential theft, data exfiltration, and complete system control through SQL injection to command execution chaining.
Likely Case
Database information disclosure, privilege escalation, and potential lateral movement within the network.
If Mitigated
Limited impact with proper input validation, database permissions, and network segmentation in place.
🎯 Exploit Status
Error-based SQL injection requires authentication but is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.319 or later
Vendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/335982/security-advisory-for-kace-sma-v8-0-318
Restart Required: Yes
Instructions:
1. Download the latest patch from Quest support portal. 2. Apply the patch through the KACE appliance admin interface. 3. Restart the appliance as prompted.
🔧 Temporary Workarounds
Input Validation WAF Rule
allImplement web application firewall rules to block SQL injection patterns in the reportID parameter
Access Restriction
linuxRestrict access to /common/run_report.php to only trusted IP addresses
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the KACE appliance from critical systems
- Enable detailed SQL query logging and monitor for suspicious database activity
🔍 How to Verify
Check if Vulnerable:
Check the appliance version in the admin interface under Help > About. If version is 8.0.318 or earlier, the system is vulnerable.Check Version:
Connect to the appliance web interface and navigate to Help > About to view version information.Verify Fix Applied:
Verify the version shows 8.0.319 or later after patching and test the /common/run_report.php endpoint with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web logs
- Multiple failed login attempts followed by SQL injection patterns
Network Indicators:
- Unusual database queries from web server IP
- SQL syntax in HTTP POST parameters to run_report.php
SIEM Query:
source="web_logs" AND uri="/common/run_report.php" AND (reportID CONTAINS "'" OR reportID CONTAINS "UNION" OR reportID CONTAINS "SELECT")