CVE-2021-44031
📋 TL;DR
CVE-2021-44031 is a critical pre-authentication remote code execution vulnerability in Quest KACE Desktop Authority. Attackers can upload malicious ASP files to execute arbitrary code on affected servers without authentication. Organizations running Desktop Authority versions before 11.2 are affected.
💻 Affected Systems
- Quest KACE Desktop Authority
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain initial foothold on the server, deploy web shells or ransomware, and potentially compromise the entire network through lateral movement.
If Mitigated
Limited impact with proper network segmentation and monitoring, though the vulnerability still provides initial access that could be detected and contained.
🎯 Exploit Status
Exploitation is straightforward - attackers can upload ASP files via the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.2
Vendor Advisory: https://support.quest.com/kace-desktop-authority/kb/336098/quest-response-to-desktop-authority-vulnerabilities-prior-to-11-2
Restart Required: Yes
Instructions:
1. Download Desktop Authority 11.2 or later from Quest support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 11.2+. 4. Restart the Desktop Authority service and IIS.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
windowsRestrict access to /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx via web application firewall or IIS URL filtering
IIS URL Rewrite rule: <rule name="Block CVE-2021-44031" stopProcessing="true"><match url="^dacomponentui/profiles/profileitems/outlooksettings/Insertimage\.aspx" /><action type="AbortRequest" /></rule>
Restrict file uploads to images directory
windowsConfigure IIS to block ASP file execution in /images/ directory
<handlers><remove name="ASPClassic" /><add name="ASPClassic" path="*.asp" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="File" preCondition="bitness64" /></handlers>
🧯 If You Can't Patch
- Network segmentation: Isolate Desktop Authority servers from internet and restrict internal access to authorized users only
- Implement strict web application firewall rules to block malicious file uploads and ASP file execution
🔍 How to Verify
Check if Vulnerable:
Check Desktop Authority version in administrative console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\Desktop Authority\VersionCheck Version:
reg query "HKLM\SOFTWARE\Quest\Desktop Authority" /v VersionVerify Fix Applied:
Verify version is 11.2 or higher and test that ASP file uploads to /images/ directory are blocked📡 Detection & Monitoring
Log Indicators:
- IIS logs showing POST requests to /dacomponentui/profiles/profileitems/outlooksettings/Insertimage.aspx with file uploads
- ASP file creation in /images/ directory
- Unusual process execution from IIS worker processes
Network Indicators:
- HTTP POST requests to vulnerable endpoint with file uploads
- ASP file requests to /images/{GUID}/ directory
SIEM Query:
source="IIS" AND (url="*Insertimage.aspx" OR url="*/images/*.asp")