Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.
More than 50 security holes have been found in Quest’s DR series disk backup appliances. The most serious of the flaws, according to Core, allows a remote and unauthenticated attacker to execute arbitrary system commands via the “password” parameter of the login process.
Experts also identified 45 other command injection issues in the product, but these require authentication. Core also claims to have uncovered six privilege escalation vulnerabilities that allow an attacker to gain root permissions.
The weaknesses impact Quest DR Series Disk Backup software version 4.0.3 and possibly earlier, and they have been patched with the release of version 220.127.116.11.
A separate advisory from Core describes 11 flaws affecting Quest’s KACE Systems Management Appliance. Researchers found that the product’s web console is affected by three command injection vulnerabilities, including one that can be exploited by an unauthenticated attacker.
The list of security holes found in this product also includes privilege escalation, SQL injection, cross-site scripting (XSS), and path traversal issues.
The vulnerabilities have been patched with a hotfix that is available for Quest KACE System Management Appliance versions 7.0, 7.1, 7.2, 8.0, and 8.1.
During the disclosure of the KACE flaws, Quest told Core that its work is in breach of the vendor’s license agreement and asked the security firm not to make its findings public to avoid legal action.
Quest, whose products are reportedly used by 130,000 companies, does have a responsible disclosure policy, but it states that reports of any vulnerability are considered the company’s confidential and proprietary information and cannot be disclosed to third parties.
Core has only published limited information about each of the vulnerabilities, but the company says it’s disappointed by Quest’s posture on disclosure.
“CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk,” Core said.