Australia's Leading Computer Emergency Response Team

ESB-2011.1137 - [Appliance] Dell KACE K2000 Appliance: Administrator compromise - Remote/unauthenticated
Date: 10 November 2011
Original URL: https://auscert.org.au/render.html?cid=1980&it=15083

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1137
         A number of vulnerabilities have been identified in Dell
                           KACE K2000 Appliance
                             10 November 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Dell KACE K2000 Appliance
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4046  

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/135606
   http://www.kb.cert.org/vuls/id/193529

Comment: This bulletin contains two (2) US-CERT security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#135606
Dell KACE K2000 Appliance contains backdoor administrator account

Overview
The Dell KACE K2000 System Deployment Appliance contains a hidden administrator 
account that could allow a remote attacker to take control of an affected 
device.

I. Description

The Dell KACE K2000 Deployment Appliance is an integrated systems provisioning 
product for large-scale operating systems deployment. Some versions of the 
product contain a backdoor administrator account with a fixed password, 
accessible via the administrative web interface of the device. Furthermore, the 
backdoor account is not visible from, and cannot be removed via the appliance's 
administrative web interface.

II. Impact

A remote attacker could login to an affected device with administrative 
privileges. Secondary impacts include: the ability to make configuration 
changes, modification of existing deployment/recovery images, access to 
sensitive information, and the ability to mount further attacks (e.g., execute 
arbitrary commands with elevated privileges).

III. Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

Vendor				Status		Date Notified	Date Updated
Dell Computer Corporation, Inc.	Affected	2011-06-08	2011-11-08

References

http://www.kace.com/support/kb/index.php?action=artikel&id=1120&artlang=en

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Chad Dougherty.
Other Information
Date Public:		2011-11-03
Date First Published:	2011-11-08
Date Last Updated:	2011-11-08
CERT Advisory:	 
CVE-ID(s):		CVE-2011-4046
NVD-ID(s):		CVE-2011-4046
US-CERT Technical Alerts:	 
Severity Metric:	33.84
Document Revision:	18

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- -------------------------------------------------------------------------------

Vulnerability Note VU#193529
Dell KACE K2000 Appliance contains multiple reflected cross-site scripting 
vulnerabilities

Overview

The administrative web interface for the Dell KACE K2000 System Deployment 
Appliance contains multiple cross-site scripting vulnerabilities.

I. Description

The Dell KACE K2000 Deployment Appliance is an integrated systems provisioning 
product for large-scale operating systems deployment. Several components that 
support the administrative web interface supplied with the system are 
vulnerable to reflected (i.e., non-persistent) script injection.

A malicious link supplied by the attacker (e.g., in email or another web page) 
can cause the vulnerable web server to reflect injected code back to the user's 
browser, where it is executed in the context of the affected site. The 
vulnerable components require the victim user to be authenticated to the 
affected system in order for the attacker's script to be executed.

II. Impact

A remote attacker may be able to access the cookies, session tokens, or other 
sensitive information of a user authenticated to the affected system.

III. Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

Vendor				Status		Date Notified	Date Updated
Dell Computer Corporation, Inc.	Affected	2011-06-08	2011-11-04

References

http://www.kace.com/support/kb/index.php?action=artikel&id=1120&artlang=en

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Chad Dougherty.
Other Information
Date Public:		2011-11-03
Date First Published:	2011-11-08
Date Last Updated:	2011-11-08
CERT Advisory:	 
CVE-ID(s):	 
NVD-ID(s):	 
US-CERT Technical Alerts:	 
Severity Metric:	0.75
Document Revision:	15

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTrs19e4yVqjM2NGpAQJK8A/+K38GUdLQchfGxIFUgc9C+/NdoIShamlO
OweU0kgkIJqQjFu8QZncrelpK70qUVzhR+EVXdGrYzgiAqD3bznvq5ZkaDxtqoIe
WYUphGGdSYhX4rBRbjb//X4txrIAFvm1eG//RBhhXPdUOv5b75yS02wmRP2jgZub
czRGSN8rp/NPgN2oXbJovTKaBCQpUvRTT+vjd8H/0CFKJv+NeNkSMQ3Xvvhq/qGb
XW3ni7vGed94lL1LAi6pQjL9hL/pQwoAKPVQYdHMx62g1P2c6Y7uakOmg8372pC7
QQvMUy5VP6m39ghWYiSWC2GIwutUPGzTC4K8PVj+jUGGKUdFvX5td1neIxA5CVMi
6KXE7lYH93phOhpB0J865tTV5TvJ2hyFp0Ha4+nFFMN/FkzLCiA99uCcB5Q9Shh/
SGXxXwsdyqV2i04BwVRpY+SaY0ENRl2wQWBMhluZIpONlj9Br4oHGNpRZ/hi1OOy
GHhVsfbjgd3qygu5LL1XidBuj/SCMxgpirEsNmw5obezMEhT8Uj0kdzTtOzW4za9
rOgG7W51p7m4hPb9+2RjjcDzqkvs8DAJUqOjoH0dj6lP+/HF6BRSPaEvCt+v+U+A
XFDWpwp/tDmd8IZGJCRX+iZZ+GG0hSg9fju2zNJ13ZuLFfndruSkDNLNtmCaVHRB
K/nc7FQDUbU=
=Slnn
-----END PGP SIGNATURE-----