This article addresses the status of the KACE SMA and SDA regarding the OpenSSH Remote Code Execution Vulnerability described under CVE-2024-6387. For more details about this vulnerability please refer to: CVE-2024-6387
KACE has determined that the vulnerability described under CVE-2024-6387 impacts all supported versions of the KACE SMA and SDA appliances.
For immediate mitigation, SSH access can be completely disabled by deselecting the Enable SSH option in Settings | Security Settings. However, the affected supported FreeBSD versions will be updated in an upcoming patch release.
Update:
SMA version 14.1 and SDA version 9.3 contain the fix for this vulnerability. A Hotfix won't be available for previous releases as it entails updating the FreeBSD version, which can only be done with the upgrade to SMA 14.1 or SDA 9.3. Scanners may still show the SMA/SDA as vulnerable because of OpenSSH version, but it's fixed at the OS level.
Quest recommends that all customers ensure they are running a supported version of the KACE SMA. See KACE Software Product Support Lifecycle Policy
For any questions or assistance on this topic please contact out Tech Support.
