Description Preview
A XML External Entity (XXE) vulnerability exists in Quest KACE Desktop Authority versions prior to 11.2. The vulnerability occurs because the log4net configuration file might be controlled by an attacker, allowing for XXE attacks. This is related to the previously identified CVE-2018-1285 vulnerability. XXE attacks can lead to disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Overview
Quest KACE Desktop Authority before version 11.2 is vulnerable to XML External Entity (XXE) attacks through the log4net configuration file. This vulnerability (CWE-611) occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. An attacker who can control the log4net configuration file could exploit this vulnerability to access files on the system, perform server-side request forgery, conduct internal port scanning, or potentially execute a denial of service attack. This vulnerability is related to the previously identified issue CVE-2018-1285, which affected Apache log4net.
Remediation
Organizations using Quest KACE Desktop Authority should:
- Upgrade to version 11.2 or later as recommended by Quest.
- If immediate upgrading is not possible, implement XML parser hardening by disabling external entity processing.
- Monitor systems for suspicious activity related to XML processing.
- Apply network segmentation to limit access to affected systems.
- Review Quest's official advisory for additional mitigation steps and product-specific guidance.
- Implement proper input validation for all XML inputs to the application.
References
- Quest Advisory: https://support.quest.com/kace-desktop-authority/kb/336098/quest-response-to-desktop-authority-vulnerabilities-prior-to-11-2
- Related vulnerability: CVE-2018-1285 (Apache log4net XXE vulnerability)
- CWE-611: Improper Restriction of XML External Entity Reference
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
