CVE-2019-20504 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2019-20504?

CVE-2019-20504 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Quest KACE K1000 Systems Management Appliances by injecting shell metacharacters into the kuid parameter of the service/krashrpt.php endpoint. It affects all organizations running vulnerable versions of the K1000 appliance, which is commonly used for IT asset management and system administration.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Quest KACE K1000 Systems Management Appliances by injecting shell metacharacters into the kuid parameter of the service/krashrpt.php endpoint. It affects all organizations running vulnerable versions of the K1000 appliance, which is commonly used for IT asset management and system administration.

💻 Affected Systems

Products:

Quest KACE K1000 Systems Management Appliance

Versions: All versions before 6.4 SP3 (specifically before version 6.4.120822)

Operating Systems: KACE K1000 appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint is part of the standard installation and requires no special configuration to be exploitable.

📦 What is this software?

Kace Systems Management by Quest

View all CVEs affecting Kace Systems Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to gain root access, deploy ransomware, exfiltrate sensitive data, and pivot to other internal systems.

🟠

Likely Case

Remote code execution leading to data theft, installation of backdoors, or disruption of IT management functions.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely and exploitation requires no authentication.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows privilege escalation and lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. The vulnerability requires no authentication and uses simple command injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4 SP3 (version 6.4.120822) or later

Vendor Advisory: https://support.quest.com/kace-systems-management-appliance/kb/335965/security-advisory-for-kace-sma-v6-4

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download the 6.4 SP3 update from Quest support portal. 3. Apply the update through the K1000 administrative interface. 4. Restart the appliance as prompted. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

linux

Use web application firewall or network firewall to block access to /service/krashrpt.php

iptables -A INPUT -p tcp --dport 80 -m string --string "/service/krashrpt.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/service/krashrpt.php" --algo bm -j DROP

Input validation at proxy level

all

Configure reverse proxy to sanitize kuid parameter values

# Apache mod_security rule: SecRule ARGS:kuid "[;|&`$()]" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Isolate the K1000 appliance in a separate network segment with strict firewall rules limiting access to authorized administrators only.
Implement network-based intrusion detection/prevention systems to monitor for exploitation attempts and block malicious traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check the appliance version in the K1000 administrative interface under Help > About. If version is below 6.4.120822, the system is vulnerable.

Check Version:

ssh admin@k1000-ip 'cat /etc/version' or check via web interface

Verify Fix Applied:

Verify version is 6.4.120822 or higher and test that the /service/krashrpt.php endpoint properly validates the kuid parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /service/krashrpt.php with shell metacharacters in parameters
System logs showing unexpected command execution or process creation

Network Indicators:

HTTP requests containing shell metacharacters (;, |, &, `, $, (, )) in the kuid parameter
Outbound connections from the K1000 appliance to suspicious external IPs

SIEM Query:

source="k1000-logs" AND (url="/service/krashrpt.php" AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*`*" OR param="*$(*"))

📊 Metadata

CVE ID: CVE-2019-20504

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 9, 2020

Last Updated: November 21, 2024

🔗 References

https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/ Exploit,Third Party Advisory
https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20504, you might also want to check these: