Researchers at Core Security Inc., a US-based cybersecurity company, said that they recently discovered more than 60 vulnerabilities in the DR series of disk backup devices and KACE system management devices produced by Quest (Quest Software, Inc.), an IT management company. The company has already released a security patch but said that if too many details are disclosed, it may take legal action against Core Security.
Core Security released two security advisory reports last Thursday (May 31st), one for DR Series Disk Backup Appliances and the other for Quest KACE System Management. KACE System Management Appliance.
According to Core Security, they discovered more than 50 security flaws in the Quest DR series of disk backup devices. The most serious of the vulnerabilities allowed unauthenticated remote attackers to execute arbitrary system commands through the login process’s “password” parameter. There are six privilege escalation vulnerabilities that are worth noting. They allow attackers to gain root privileges.
The specific vulnerability numbers are as follows:
CVE-2018-11133, CVE-2018-11144, CVE-2018-11145, CVE-2018-11146, CVE-2018-11147, CVE-2018-11148, CVE-2018-11149, CVE-2018-11150, CVE- 2018-11151, CVE-2018-11152, CVE-2018-11153, CVE-2018-11154, CVE-2018-11155, CVE-2018-11156, CVE-2018-11157, CVE-2018-11158, CVE-2018- 11159, CVE-2018-11160, CVE-2018-11161, CVE-2018-11162, CVE-2018-11163, CVE-2018-11164, CVE-2018-11165, CVE-2018-11166, CVE-2018-11167, CVE-2018-11168, CVE-2018-11169, CVE-2018-11170, CVE-2018-11171, CVE-2018-11172, CVE-2018-11173, CVE-2018-11174, CVE-2018-11175, CVE- 2018-11176, CVE-2018-11177, CVE-2018-11178, CVE-2018-11179, CVE-2018-11180, CVE-2018-11181, CVE-2018-11182, CVE-2018-11183, CVE-2018- 11184, CVE-2018-11185, CVE-2018-11186, CVE-2018-11187, CVE-2018-11188, CVE-2018-11189, CVE-2018-11190, CVE-2018-11191, CVE-2018-11192, CVE-2018-11193, CVE-2018-11194.
All of these vulnerabilities affect Quest DR series disk backup software version 4.0.3 or earlier, and Quest has been fixed with release version 4.0.3.1.
Another security advisory report from Core describes 11 vulnerabilities affecting Quest KACE system management devices—CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018 -11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, and CVE-2018-11141.
The researchers found that the product’s Web console was affected by three command injection vulnerabilities, one of which could be exploited by unauthenticated attackers. The other eight vulnerabilities involve privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal.
Researchers said that these vulnerabilities affect at least Quest KACE System Management Appliance Version 8.0 (Build 8.0.318). Other products and versions may also be affected but not tested. Quest has released a security patch for versions 7.0, 7.1, 7.2, 8.0, and 8.1.
During the disclosure of all these loopholes, Quest told Core Security that its work violated its license agreement and required Core Security not to disclose its findings in order to prevent them from taking legal action.
According to statistics, Quest’s products are said to be being used by more than 130,000 companies worldwide. It does have a responsible information disclosure policy but said that reports on any bugs are considered confidential and proprietary. Information cannot be disclosed to third parties.
Core Security, therefore, issued only limited information about each vulnerability but expressed disappointment with Quest’s disclosure policy and attitude.
