CVE-2018-11134

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password (including root). A low-privilege user could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.

In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password (including root). A low-privilege user could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.

Para realizar acciones que requieran mayores privilegios, Quest KACE System Management Appliance 8.0.318 se basa en una cola de mensajes gestionada que se ejecuta con privilegios root y sólo permite un conjunto de comandos. Uno de los comandos disponibles permite cambiar la contraseña de cualquier usuario (incluyendo root). Un usuario de bajos privilegios podría explotar esta característica cambiando la contraseña de la cuenta "kace_support", que viene desactivada por defecto pero tiene todos los privilegios de sudo.