Sign-up

ID

VAR-201401-0429


CVE

CVE-2014-1671


TITLE

Dell KACE K1000 In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001260

DESCRIPTION

Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP request to service/kbot_service.php; the ID parameter to (3) userui/advisory_detail.php or (4) userui/ticket.php; and the (5) ORDER[] parameter to userui/ticket_list.php. (1) service/kbot_service.php To getUploadPath request (2) service/kbot_service.php To getKBot SOAP request (3) userui/advisory_detail.php of ID Parameters (4) userui/ticket.php of ID Parameters (5) userui/ticket_list.php of ORDER[] Parameters. Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. Dell KACE K1000 is a set of IT equipment management solutions in the KACE system management series of Dell (Dell). This solution provides functions such as software distribution, configuration management, patch installation, and security vulnerability remediation. The vulnerability is caused by (1) the service/kbot_service.php script does not correctly filter the 'macAddres' element in the getUploadPath and getKBot SOAP requests; (2) userui/advisory_detail The .php and userui/ticket.php scripts did not filter the 'ID' parameter correctly; (3) the userui/ticket_list.php script did not filter the 'ORDER[]' parameter correctly

Trust: 1.98

sources: NVD: CVE-2014-1671 // JVNDB: JVNDB-2014-001260 // BID: 65029 // VULHUB: VHN-69610

AFFECTED PRODUCTS

vendor:dellmodel:kace k1000 systems management virtual appliancescope:eqversion: -

Trust: 1.6

vendor:dellmodel:kace k1200s systems management appliancescope:eqversion: -

Trust: 1.6

vendor:dellmodel:kace k1100s systems management appliancescope:eqversion: -

Trust: 1.6

vendor:dellmodel:kace k1000 systems management appliancescope:eqversion: -

Trust: 1.6

vendor:dellmodel:kace k1000 systems management appliance softwarescope:eqversion:5.4.76847

Trust: 1.6

vendor:dellmodel:kace k1000 systems management appliancescope: - version: -

Trust: 0.8

vendor:dellmodel:kace k1000 systems management appliance softwarescope:lteversion:5.4.76847

Trust: 0.8

vendor:dellmodel:kace k1100s systems management appliancescope: - version: -

Trust: 0.8

vendor:dellmodel:kace k1200s systems management appliancescope: - version: -

Trust: 0.8

vendor:dellmodel:kace virtual k1000 systems management appliancescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2014-001260 // CNNVD: CNNVD-201401-540 // NVD: CVE-2014-1671

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1671
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1671
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201401-540
value: MEDIUM

Trust: 0.6

VULHUB: VHN-69610
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-1671
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-69610
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-69610 // JVNDB: JVNDB-2014-001260 // CNNVD: CNNVD-201401-540 // NVD: CVE-2014-1671

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-69610 // JVNDB: JVNDB-2014-001260 // NVD: CVE-2014-1671

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-540

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201401-540

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001260

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-69610

PATCH
title:Dell KACE K1000 Systems Management Applianceurl:https://www.kace.com/products/systems-management-appliance/tech-specs
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-001260

EXTERNAL IDS
db:NVDid:CVE-2014-1671
Trust: 2.8
db:SECUNIAid:56396
Trust: 1.7
db:BIDid:65029
Trust: 1.4
db:JVNDBid:JVNDB-2014-001260
Trust: 0.8
db:CNNVDid:CNNVD-201401-540
Trust: 0.7
db:XFid:90592
Trust: 0.6
db:EXPLOIT-DBid:39057
Trust: 0.1
db:VULHUBid:VHN-69610
Trust: 0.1
sources:
            
            
            VULHUB: VHN-69610 // 
            
            
            
            BID: 65029 // 
            
            
            
            JVNDB: JVNDB-2014-001260 // 
            
            
            
            CNNVD: CNNVD-201401-540 // 
            
            
            
            NVD: CVE-2014-1671

REFERENCES
url:http://www.baesystemsdetica.com.au/research/advisories/dell-kace-k1000-sql-injection-%28ds-2014-001%29
Trust: 1.9
url:http://secunia.com/advisories/56396
Trust: 1.7
url:http://www.securityfocus.com/bid/65029
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/90592
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1671
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1671
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/90592
Trust: 0.6
url:http://www.baesystemsdetica.com.au/research/advisories/dell-kace-k1000-sql-injection-(ds-2014-001)
Trust: 0.6
sources:
            
            
            VULHUB: VHN-69610 // 
            
            
            
            JVNDB: JVNDB-2014-001260 // 
            
            
            
            CNNVD: CNNVD-201401-540 // 
            
            
            
            NVD: CVE-2014-1671

CREDITS
Rohan Stelling, Bart Borkowski, and Alex Manusu, Detica.
Trust: 0.3
sources:
            
            
            BID: 65029

SOURCES
db:VULHUBid:VHN-69610
db:BIDid:65029
db:JVNDBid:JVNDB-2014-001260
db:CNNVDid:CNNVD-201401-540
db:NVDid:CVE-2014-1671

LAST UPDATE DATE
2024-11-23T23:02:50.398000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-69610date:2018-08-13T00:00:00
db:BIDid:65029date:2014-01-28T01:03:00
db:JVNDBid:JVNDB-2014-001260date:2014-01-28T00:00:00
db:CNNVDid:CNNVD-201401-540date:2014-01-28T00:00:00
db:NVDid:CVE-2014-1671date:2024-11-21T02:04:48.063

SOURCES RELEASE DATE
db:VULHUBid:VHN-69610date:2014-01-26T00:00:00
db:BIDid:65029date:2014-01-13T00:00:00
db:JVNDBid:JVNDB-2014-001260date:2014-01-28T00:00:00
db:CNNVDid:CNNVD-201401-540date:2014-01-28T00:00:00
db:NVDid:CVE-2014-1671date:2014-01-26T01:55:20.657