Return
-
Title
How to check for and address the XMR-STAK vulnerability -
Description
A verification tool has been created to check for a known XMR-STAK vulnerability. This kbin checks for the presence of XMR-STAK as well as whether or not the KACE System Management Appliance has the Security Vulnerability Patch mentioned here.
For more information on this vulnerability, please see the Product Notification.
-
Resolution
To run this verification tool:
- Download the kbin
- Go to Settings | Appliance Updates
- Locate 'Manually Update' and then select Choose File
- After selecting the kbin, select Update
This kbin checks for the particular process in question, this does NOT exclude the possible existance of other unknown exploits or variants.When executing this, only one output will result in the log file:
- XMR-STAK -Unified All-in-one Monero miner was NOT detected; the current SMA appears to be running the security hotfix version.
- XMR-STAK -Unified All-in-one Monero miner was NOT detected, however, the current SMA is not running the security hotfix version.
- XMR-STAK -Unified All-in-one Monero miner was detected; the current SMA is not running the security hotfix version.
- XMR-STAK -Unified All-in-one Monero miner was NOT detected; the current SMA appears to be running the security hotfix version.
You can find this output in the update log file, which is immediately displayed in the UI after the KBIN is applied
As an example, after you apply the SMA Verification KBIN, you should see the following in the logs displayed:
[Mon Jul 1 12:35:41 PDT 2018] [notice] Begin KACE SMA Verification Check [Mon Jul 1 12:35:43 PDT 2018] [notice] *** This process only attempts to detect XMR-STAK, and cannot detect other unknown issues or variants. ***And ONE of the following possibilities:
1.
[Mon Jul 1 12:35:43 PDT 2018] [notice] XMR-STAK -Unified All-in-one Monero miner was detected; the current SMA is NOT running the security hotfix version.2.
[Mon Jul 1 12:35:43 PDT 2018] [notice] XMR-STAK -Unified All-in-one Monero miner was NOT detected; the current SMA is NOT running the security hotfix version.3.
[Mon Jul 1 12:35:43 PDT 2018] [notice] XMR-STAK -Unified All-in-one Monero miner was detected; the current SMA appears to be running the security hotfix version.4.
[Mon Jul 1 12:35:43 PDT 2018] [notice] XMR-STAK -Unified All-in-one Monero miner was NOT detected; the current SMA now appears to be running the security hotfix version.And finished with:
[Mon Jul 1 12:35:43 PDT 2018] [notice] KACE SMA Verification Check completedResolution steps depending on results:
- If XMR-STAK was not detected and KACE SMA is running the security hotfix version, no further actions are required.
- If XMR-STAK was not detected and KACE SMA is not running the security hotfix version, please proceed as following:
- Immediately prevent your KACE SMA from being accessible from the internet (via firewall rule, etc.).
- Download and apply the security hotfix.
- Once the security hotfix has been applied proceed opening Internet access to KACE SMA.
- If XMR-STAK is shown as detected and KACE SMA is not running the security hotfix version, proceed as following:
- Immediately prevent your KACE SMA from being accessible from the internet (via firewall rule, etc.)
- Download KACE SMA backups (KACE SMA backups are not affected by XMR) – How download backups see - How to download and upload backup files via FTP or CMD in versions 6.4 and higher (184159)
- Prepare a new appliance and restore from backups - To backup, reimage, and restore, refer to following article - How to migrate database between multiple SMAs (K1000s) (119863)
- Is KACE SMA a virtual appliance, download the OVF or Hyper-V resource from support site.
- Is KACE SMA a physical server, KACE Support will provide the images as required.
- Once KACE SMA has been restored from backups proceed applying hotfix.
- After the whole process has been completed proceed running XMR-STAK vulnerability verification tool and if results show clean proceed opening Internet access to KACE SMA.
- If XMR-STAK is shown as detected and KACE SMA is running the security hotfix version, proceed as following:
- Immediately prevent your KACE SMA from being accessible from the internet (via firewall rule, etc.)
- Download KACE SMA backups (KACE SMA backups are not affected by XMR) – How download backups see - How to download and upload backup files via FTP or CMD in versions 6.4 and higher (184159)
- Prepare a new appliance and install the hotfix
- Is KACE SMA a physical server, KACE Support will provide the images as required.
- Is KACE SMA a virtual appliance, download the OVF or Hyper-V resource from support site.
- Proceed restoring from backups. Restoring from backups, refer to following article - How to migrate database between multiple SMAs (K1000s) (119863)
- After the whole process has been completed proceed running XMR-STAK vulnerability verification tool and if results show clean proceed opening Internet access to KACE SMA.
For additional questions, please contact Support.
NOTE: This Kbin does not upgrade your appliance to a patched version. Please see Sol. 254193 to apply the patch if needed.