CVE-2024-23773
📋 TL;DR
This vulnerability allows local attackers with access to a Windows system to delete any file with SYSTEM privileges through the KSchedulerSvc.exe component in Quest KACE Agent. It affects Quest KACE Agent for Windows versions 12.0.38 and 13.1.23.0. Attackers must already have local access to exploit this vulnerability.
💻 Affected Systems
- Quest KACE Agent for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing system instability, data loss, or complete system failure, potentially leading to denial of service or facilitating further attacks.
Likely Case
Attackers delete important configuration files, user data, or security logs to cover tracks, disrupt operations, or prepare for additional attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is in a system service running with SYSTEM privileges, making exploitation straightforward once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version as specified in Quest advisory
Vendor Advisory: https://support.quest.com/kb/4375402/quest-response-to-kace-sma-agent-vulnerabilities-cve-2024-23772-cve-2024-23773-cve-2024-23774
Restart Required: Yes
Instructions:
1. Download the latest Quest KACE Agent from the official Quest website. 2. Deploy the update through your existing patch management system. 3. Restart affected systems to complete the installation.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user access to systems running vulnerable KACE Agent versions through strict access controls and privilege management.
Monitor file deletion events
windowsEnable and monitor Windows Security Event Logs for file deletion events, particularly from the KSchedulerSvc.exe process.
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict least-privilege access controls to limit who can log into affected systems
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious file deletion activities
🔍 How to Verify
Check if Vulnerable:
Check the version of Quest KACE Agent installed. If version is 12.0.38 or 13.1.23.0, the system is vulnerable.Check Version:
Check the installed version through the KACE Agent interface or examine the program files directory for version information.Verify Fix Applied:
Verify the KACE Agent version has been updated to a version later than 13.1.23.0 or 12.0.38 as specified in Quest's advisory.📡 Detection & Monitoring
Log Indicators:
- File deletion events from KSchedulerSvc.exe process
- Unexpected SYSTEM privilege file operations
- Security logs showing unauthorized file access attempts
Network Indicators:
- Unusual outbound connections from systems running KACE Agent
- Lateral movement attempts to systems with KACE Agent
SIEM Query:
EventID=4663 AND ProcessName="KSchedulerSvc.exe" AND AccessMask="0x10000" (Delete access)🔗 References
- https://support.quest.com/kb/4375402/quest-response-to-kace-sma-agent-vulnerabilities-cve-2024-23772-cve-2024-23773-cve-2024-23774
- https://www.quest.com/kace/
- https://support.quest.com/kb/4375402/quest-response-to-kace-sma-agent-vulnerabilities-cve-2024-23772-cve-2024-23773-cve-2024-23774
- https://www.quest.com/kace/
