K2000 version 3.3 had several potential vulnerabilities disclosed to the CERT. The following have been addressed in K2000 3.3 SP1 for International Customers.
Note: The K2000 is an agentless Systems Deployment Appliance relying on PXE-booting services for deploying operating systems to computers. Protocols such as TFTP, with no data stream security, are built into the PXE standard. Most protocols specified by PXE have no substitute protocol with data stream security.
Sites with high security requirements may want to consider dedicated deployment-only networks with adequate physical and network security.
If the K2000 is used in a mixed network, there are areas that should be subject to particular attention.
Recovery Account (CERT VU#135606)
The K2000 version 3.3 has a recovery account intended for use by KACE support only when assisting customers. The password to this account can be determined by examination of the PHP source code on the appliance.
Note: This account has been replaced with an alternate admin recovery password in K2000 3.3 SP1 and newer. This recovery password will be cycled regularly, unavailable in the PHP source code, and not available in the clear anywhere on the appliance. All K2000 administrators are encouraged to upgrade to the latest release.
Dell KACE recommends that access to the appliance web UI be limited by means of physical and network security to mitigate this possible vulnerability.
Arbitrary Command Execution (CERT VU#589089)
There is a database table in the appliance which schedules commands that are run as root on the appliance. If write access to the database is obtained, commands can be injected into this table which are then run as root on the appliance, resulting in a possible compromise of appliance security. We note that in the normal configuration of the appliance
- external SSH access to the root account is turned off by default
- offboard database access is turned off by default
Note: In K2000 3.3 SP1 and newer, there are no write privileges to the database when using offboard access, eliminating this potential vulnerability. All K2000 administrators are encouraged to upgrade to the latest release.
Dell KACE recommends that these remain turned off as a best practice, mitigating this possible vulnerability. All K2000 administrators are encouraged to upgrade to the latest release to eliminate this potential vulnerability.
Account Info Disclosure (CERT VU#702169)
Examination of tables in the K2000's database shows hashed passwords are stored there. We note that
- Offboard database access is turned off by default
- No passwords are stored in clear text in the appliance database.
- All password hashes are created using the MD5 (K2000 3.3 and older) or SHA-1 (K2000 3.3 SP1 and newer) algorithm.
- When assigned by the administrator, the admin password is rated using a standard algorithm, making the disclosure of its hashed value less vulnerable to an offline dictionary attack if an appropriately strong password is used.
- When LDAP integration is turned on,
- local user accounts, other than "admin", are disabled, making their passwords unusable
- no passwords for LDAP accounts are stored on the appliance for longer than it takes to authenticate the user.
- no passwords for LDAP accounts are ever stored in the appliance database
Dell KACE recommends that security best practices be followed in
- keeping offboard database access turned off
- the use of complex, dictionary-attack-resistant passwords for all local users
These practices will mitigate any theoretical vulnerability posed by the storage of hashed passwords for local users in the appliance database. All K2000 administrators are encouraged to upgrade to the latest release.
Cross-site Scripting (XSS) Vulnerabilities (CERT VU#193529)
The K2000 engineering team follows internal development practices to minimize the chance that our user interface will have any XSS problems. In addition, we test the K2000 for XSS vulnerabilities using standard network security tools such as OpenVAS and QualysGuard. Occasionally, these tools may miss a vulnerability. If any are discovered, we endeavor to correct them as quickly as possible.
XSS vulnerabilities reported thus far require authenticated access to the K2000 administrative interface in a role which can get to particular URLs.
We recommend that our customers use browsers, such as Chrome, and browser plug-ins, such as NoScript, which mitigate XSS vulnerabilities in all websites.
Customers with questions or concerns may contact Dell KACE support.