Quest has an upgrade ready to go to handle an improper input validation vulnerability in its KACE Systems Management Appliance (SMA), according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Juan Pablo Lopez Yacubian, could allow an administrative user unintentional access to the underlying operating system of the device.
The following versions of KACE Systems Management Appliance suffer from the issue:
• KACE SMA: All versions 8.0.x
• KACE SMA: All versions 8.1.x
• KACE SMA: All versions 9.0.x
The vulnerability allows unintentional access to the appliance leveraging functions of the troubleshooting tools located in the administrator user interface.
CVE-2019-10973 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 2.7.
The product sees use mainly in the information technology sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Canada-based Quest recommends affected users upgrade to Version 9.1 or newer, which can be downloaded from the Quest support portal.