Dell - can you please confirm.  What versions does this impact?  If true, how concerned should we be and what is the ETA for a patch?

 

http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html

12 Comments   [ + ] Show Comments

Comments

  • was reported on version 5.5.90545
    • Do you happen to know what was actually changed between 5.5.90545 and 5.5.90546? I can't seem to find any release note information about 5.5.90546, but every article I do find is about K1000 hot fixes that work on 5.5.90545 or 5.5.90546. My guess is that 5.5.90546 was a minor bug fix for 5.5.90545 and at some point they pulled 5.5.90545 from being distributed.

      I do not believe 5.5.90546 would be immune to this or any other problems that would exist in 5.5.90545, unless someone can correct me on that point.
  • ETA on the fix would be great,I've called/emailed support and about this security flaw
  • We aware of this and hope to have a resolution soon - Mary KACE Technical Support
    • Mary if you restrict www access to vpn only does that protect you?
    • Jbr32, my answer is not official, of course, but if I'm understanding the article correctly, it does appear they would have to be able to reach the web interface in order to launch an attack through this vulnerability. Thankfully we don't have our KBOX open to the outside world at all
      • We restrict it via the Kbox ip settings. So if you hit our box from the wan you get the "oops file not found" message so I am hoping we are good.
  • I have a case open as well, FWIW.
  • A security vulnerability has been identified on the K1000. Affects versions 5.5, 5.4, and 5.3 The vulnerability allows access to the root of a K1000.

    To address this before the fix is available, it is recommended to block all incoming ports and/or disconnect your K1000 from the internet. Especially if your K1000 is in the DMZ. Even if your K1000 is behind a firewall, the most secure defense is to follow these instructions.

    We expect a fix to be issued by the end of today, March 11, 2014, along with further instructions.
  • Please see http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL121792
    for Dell's response and updates.
    • Mary - I have some questions that I do not want to post here. Should I open a ticket or can you call/ email me to discuss?
  • Jbr32 You can open a ticket and request it be assigned to me. Opening a ticket is the best thing.
  • Just wanting to confirm, the forthcoming patch is not yet available, correct?
  • So much for "a fix to be issued by the end of today, March 11, 2014". New ETA?
  • Bob - can this post be featured so it does not fall off the homepage?
  • All, The download link for the 5.5 fix is on the SOL article listed above. Please read the note for the 5.5 patch. %.4 is expected to be available shortly.
  • The hotfix for 5.4 has been updated in this article: http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL121792
    5.5 and 5.4 hotfixes are listed.
Please log in to comment

There are no answers at this time

Answers

Answer this question or Comment on this question for clarity