KACE SDA response to Cross-Site Tracing (XST) vulnerabilities (4300893)

The KACE Systems Deployment Appliance (SDA) has the ability to remotely deploy operating systems by automated installation or imaging. It also provides automated migration and configuration capabilities. The SDA is available as a physical or virtual appliance.

There have been some concerns throughout the years regarding the ability to leverage TRACE HTTP requests in Cross-Site Tracing (XST) and similar attacks to steal information. 

More information about the vulnerabilities can be found below:

• https://nvd.nist.gov/vuln/detail/CVE-2004-2320

• http://www.apacheweek.com/issues/03-01-24#news

This issue is related to other CVEs that specify other web servers and applications, such as:

The ability to respond to both HTTP TRACE and TRACK requests has been disabled since version 3.2 of the SDA.

Any results from vulnerability scans regarding HTTP TRACE or TRACK are false positives, as those requests will result in a '403: Forbidden' HTTP status code.