CVE-2021-44029
📋 TL;DR
CVE-2021-44029 is a remote code execution vulnerability in Quest KACE Desktop Authority versions before 11.2, caused by insecure deserialization in the RadAsyncUpload function of ASP.NET AJAX. Attackers can exploit this to execute arbitrary code on affected systems when encryption keys are known (often through previous vulnerabilities like CVE-2017-11317). Organizations running vulnerable versions of Quest KACE Desktop Authority are affected.
💻 Affected Systems
- Quest KACE Desktop Authority
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code with the privileges of the application service account, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Remote code execution leading to installation of malware, backdoors, or ransomware on affected systems, with potential for credential harvesting and network reconnaissance.
If Mitigated
No impact if systems are patched to version 11.2 or later, or if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation is relatively straightforward once encryption keys are obtained. The vulnerability leverages known deserialization patterns in ASP.NET AJAX.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.2 and later
Vendor Advisory: https://support.quest.com/kace-desktop-authority/kb/336098/quest-response-to-desktop-authority-vulnerabilities-prior-to-11-2
Restart Required: Yes
Instructions:
1. Download Quest KACE Desktop Authority version 11.2 or later from the Quest support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to the patched version. 4. Restart the application services and verify functionality.
🔧 Temporary Workarounds
Disable RadAsyncUpload handler
windowsRemove or disable the vulnerable RadAsyncUpload handler in web.config to prevent exploitation
Edit web.config file and remove or comment out the RadAsyncUpload handler registration
Network segmentation and access controls
allRestrict network access to the Quest KACE Desktop Authority web interface
Configure firewall rules to limit access to only trusted IP addresses
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks
- Deploy web application firewall (WAF) rules to block deserialization attacks and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Quest KACE Desktop Authority in the application interface or installation directoryCheck Version:
Check the application version in the Quest KACE Desktop Authority admin interface or examine the installed program version in Windows Programs and FeaturesVerify Fix Applied:
Verify that version 11.2 or later is installed and that the RadAsyncUpload handler has been updated📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to RadAsyncUpload handlers
- Deserialization errors in application logs
- Unexpected process creation from the application service account
Network Indicators:
- HTTP requests containing serialized objects to RadAsyncUpload endpoints
- Unusual outbound connections from the application server
SIEM Query:
source="web_server_logs" AND (url="*RadAsyncUpload*" OR method="POST" AND status="200" AND size>100000)