The Quest team received a report from CRITICALSTART regarding possible vulnerabilities involving the KACE Systems Management Appliance (SMA) below:
K1-30592 - Default Password for FTP access
K1-30593 - Default Password for MySQL access
K1-30594 - Rate limit can be bypassed on API login attempts
K1-30595 - Static symmetric encryption key is not unique per appliance
K1-30596 - API is not constrained by console ACL restrictions
Quest takes the handling of vulnerabilities seriously, and we investigate and respond to all reported potential vulnerabilities. Our vulnerability reporting and response process can be found here.
All reported issues above have been resolved in our 11.1 release of the KACE SMA, which can be downloaded here.
These vulnerabilities were submitted by Rich Mirch, Senior Adversarial Engineer for CRITICALSTART, TEAMARES
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center