CVE-2019-12918
📋 TL;DR
This vulnerability allows attackers to execute arbitrary SQL commands on Quest KACE Systems Management Appliance Server Center through SQL injection in the software_library.php file. Organizations using version 9.1.317 of this appliance are affected, potentially exposing sensitive system data and allowing unauthorized access.
💻 Affected Systems
- Quest KACE Systems Management Appliance Server Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the KACE appliance database, allowing data exfiltration, privilege escalation, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive system management data, configuration information, and potential credential harvesting from the database.
If Mitigated
Limited impact with proper network segmentation, database permissions, and input validation controls in place.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity, though specific exploit details for this CVE are not publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 9.1.317
Vendor Advisory: https://support.quest.com/kb/311388/quest-response-to-certezza-vulnerability-report
Restart Required: Yes
Instructions:
1. Log into the KACE appliance admin interface. 2. Navigate to System > Updates. 3. Apply the latest available update from Quest. 4. Restart the appliance as prompted.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules or input validation to filter SQL injection patterns in order[0][column] and order[0][dir] parameters.
Network Segmentation
allRestrict network access to the KACE appliance management interface to authorized administrative networks only.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the KACE appliance management interface.
- Deploy a web application firewall with SQL injection detection rules in front of the appliance.
🔍 How to Verify
Check if Vulnerable:
Check the appliance version in the admin interface under Help > About. If version is 9.1.317, the system is vulnerable.Check Version:
Not applicable - check via web interface at /adminui/login.phpVerify Fix Applied:
After updating, verify the version is no longer 9.1.317 and test the software_library.php endpoint with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL error messages
- Requests to software_library.php with unusual parameter values
Network Indicators:
- HTTP POST requests to software_library.php containing SQL keywords in parameters
- Unusual database connection patterns from the web server
SIEM Query:
source="web_logs" AND uri="/software_library.php" AND (param="order[0][column]" OR param="order[0][dir]") AND (value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")