CVE-2019-10973
📋 TL;DR
This vulnerability in Quest KACE appliances allows unauthorized access through troubleshooting tools in the administrator interface. It affects all Quest KACE versions prior to 8.0.x, 8.1.x, and 9.0.x, potentially exposing administrative functions to attackers.
💻 Affected Systems
- Quest KACE Systems Management Appliance
📦 What is this software?
Kace Systems Management Appliance by Quest
Kace Systems Management Appliance by Quest
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the KACE appliance, allowing attackers to execute arbitrary commands, access sensitive data, and pivot to other systems in the network.
Likely Case
Unauthorized access to administrative functions, configuration changes, and potential data exfiltration from the appliance.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only exposing non-critical troubleshooting functions.
🎯 Exploit Status
Exploitation requires access to the administrator interface but leverages built-in troubleshooting tools. No public exploit code was found in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.x, 8.1.x, or 9.0.x
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-183-02
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download and install the latest patched version (8.0.x, 8.1.x, or 9.0.x) from Quest support portal. 3. Follow vendor upgrade documentation. 4. Restart appliance after installation.
🔧 Temporary Workarounds
Restrict Administrator Interface Access
allLimit network access to the KACE administrator interface to trusted IP addresses only.
Configure firewall rules to restrict access to KACE appliance admin interface (typically port 443/HTTPS) to specific management IP ranges
Disable Unused Troubleshooting Tools
allReview and disable any unnecessary troubleshooting tools in the administrator interface.
Login to KACE admin interface > Navigate to Administration > Troubleshooting > Disable unused tools
🧯 If You Can't Patch
- Implement strict network segmentation to isolate KACE appliance from untrusted networks
- Enforce strong authentication and implement multi-factor authentication for all administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check current KACE version in the administrator interface under Help > About. If version is below 8.0.x, 8.1.x, or 9.0.x, the system is vulnerable.Check Version:
Login to KACE admin interface and navigate to Help > About to view version informationVerify Fix Applied:
After patching, verify version shows 8.0.x, 8.1.x, or 9.0.x in Help > About. Test that troubleshooting tools function correctly with proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to troubleshooting tools
- Unusual administrative activity from non-standard IP addresses
- Configuration changes without proper authentication logs
Network Indicators:
- Unusual traffic patterns to KACE admin interface troubleshooting endpoints
- Access to administrative functions from unexpected source IPs
SIEM Query:
source="kace_appliance" AND (event_type="admin_access" OR event_type="troubleshooting_tool") AND user="unknown" OR src_ip NOT IN (trusted_management_ips)