Kace Ldap Bind Credential Exposure
The (known) affected software version is 9.0.146 of both the KACE Systems Deployment and Remote Site appliances.
An authenticated user may edit the LDAP service configuration user authentication settings and change the server host name or IP address to an attacker-controlled system, click the “Test Settings” button, and capture the plaintext credentials. The captured credentials may provide a malicious actor with a higher privilege level on the Active Directory domain. This is relevant to CWE-306: Missing Authentication for Critical Function.
It’s also important to note that these applicances ship with default credentials which could allow an unauthorized user to gain access to LDAP (Active Directory) credentials. It could also allow an authorized user of the KACE system to gain access to an account with a higher privilege level. Unfortunately, system administrators often use over-privileged Active Directory accounts such as those belonging to the “Domain Admins” group far too often in my experience. This has allowed me to capture Domain Admin credentials on a few occasions.
To remediate the vulnerability, the appliance should require that the LDAP bind credential password is reentered when altering the LDAP authentication configuration.
A malicious actor can change the server hostname or IP address and LDAP port number and click the ‘Test Settings’ button, without being prompted to verify the currently configured credentials:
On the attacker system the credentials are captured in plaintext:
KACE was notified of the vulnerability on 12/14/2022 and assigned case number 01963520. While KACE has stated that they plan to remediate the vulnerability in an upcoming release, it has not been fixed as of the time this article was published.
Update 5/21/2023: MITRE assigned CVE-2023-33254 to this vulnerability.