Zero Day Initiative (ZDI) report update (4289622)

The Quest team has continued the investigation into TrendMicro’s Zero Day Initiative (ZDI) reports. 

Quest has not provided information or advice to ZDI relating to the advisories prior to their publication.  Quest believes that all known critical vulnerabilities have been effectively patched.

We take the processing of vulnerabilities seriously and investigate and respond to all reported potential vulnerabilities.  Our vulnerability reporting and response process can be found at https://support.quest.com/essentials/reporting-security-vulnerability for anyone that suspects they have uncovered a vulnerability.

Quest’s investigation has determined that the following advisory from ZDI replicates information originally posted in Quest’s KB article 254193 (https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-):  

•  https://www.zerodayinitiative.com/advisories/ZDI-18-1062

Quest provided a patch in April 2018 to address the concerns described in this advisory. As per previous Quest notifications (https://support.quest.com/product-notification/noti-00000134), we continue to reiterate that you should apply the patch if you have not already done so.  Additionally, you should follow Quest's networking best practices as listed in the following Knowledge Base article https://support.quest.com/kb/111775/, and not expose the appliance to the internet. 

The following advisories are also similar to information originally posted in the May CVEs published by CORE Security.  These issues only present themselves if the user has already advanced beyond network authentication barriers within the KACE SMA.  In both cases, the user would have to be logged into the AdminUI or SystemUI (with a valid username/password) to take advantage of what has been reported.  These issues have been resolved in the SMA version noted below.

•  https://www.zerodayinitiative.com/advisories/ZDI-18-1064  (resolved as of version 9.0.270)
•  https://www.zerodayinitiative.com/advisories/ZDI-18-1066  (resolved as of version 8.1.108)

The following two advisories are also similar to information originally posted in the May CVEs published by CORE Security, however, there are some differences that cause these to be addressed separately:

• https://www.zerodayinitiative.com/advisories/ZDI-18-1063  
• https://www.zerodayinitiative.com/advisories/ZDI-18-1065

For these specific items, it has been determined that these are not critical threats to the KACE appliance or customer environment.  These issues only present themselves if the user has already advanced beyond network authentication barriers within the KACE SMA.  In both cases, the user would have to be logged into the AdminUI or SystemUI (with a valid username/password) to take advantage of what has been reported.  While we recognize that username and passwords should follow security best practices, we will be providing a change in the SMA 9.1 release to address these two advisories.   For anyone that has concern in waiting until the 9.1 release, a Hotfix KBIN (which does not require/initiate a reboot) has been made available, attached to this article, for the 9.0.270 release.