Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability resides in the SAML-based SSO authentication handler of Quest KACE SMA. When SSO is enabled, the appliance does not properly validate the authenticity of SAML responses. An attacker can forge a SAML assertion by manipulating the `NameID` and `AttributeStatement` fields. The appliance fails to enforce signature verification on the SAML response under specific configuration conditions. By sending a crafted SAML response to the `/sso/acs` endpoint, the attacker can impersonate any user, including the built-in admin account. The attack does not require prior knowledge of valid credentials. The SAML assertion can be generated using tools like `saml2aws` or custom Python scripts. The bypass occurs because the appliance accepts unsigned or self-signed assertions when the metadata endpoint is misconfigured. The vulnerability is exploitable remotely over HTTP/HTTPS. Successful exploitation grants the attacker a valid session cookie without any authentication step. The attacker can then access the web administration panel with the victim’s privileges. In default deployments, the admin account has full system control. The flaw exists in the XML signature validation logic (CWE-303). The appliance also fails to check the `NotBefore` and `NotOnOrAfter` conditions properly. This allows replay attacks using previously captured SAML responses. The issue affects all SSO-enabled instances, regardless of identity provider. No user interaction is required for exploitation. The attack leaves no immediate logs of failed authentication attempts. Versions prior to the fixed releases are vulnerable.
dailycve form:
Platform: Quest KACE SMA
Version: <13.0.385 etc
Vulnerability: SAML auth bypass
Severity: Critical
date: 2024-03-12
Prediction: Patch released 2024-03-12
What Undercode Say:
Check SMA version via API
curl -k https://<sma-ip>/api/system/version
Test for SAML assertion forging (Python)
python3 -c "from saml import forge; forge.assertion('admin', 'https://<sma-ip>/sso/acs')"
Simulate exploit with custom SAML response
curl -X POST https://<sma-ip>/sso/acs -d 'SAMLResponse=<base64-crafted>' -H 'Content-Type: application/x-www-form-urlencoded'
Verify session cookie after exploitation
curl -k -b "session=<cookie>" https://<sma-ip>/admin/dashboard
Exploit:
Send a crafted SAMLResponse to `/sso/acs` with unsigned assertion containing `NameID=admin` and `AttributeStatement` with role=Administrator. The SMA returns a valid session cookie without signature verification. Use that cookie to access all admin APIs and UI.
Protection from this CVE
Upgrade to SMA 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), or 14.1.101 (Patch 4). If SSO is not required, disable SAML authentication. Enforce strict metadata validation and require signed assertions. Deploy WAF rules to block suspicious `/sso/acs` POST requests with unusually long `SAMLResponse` parameters. Monitor logs for unexpected admin session creations.
Impact
Complete administrative takeover of the KACE SMA appliance. Attacker can deploy malicious scripts, exfiltrate inventory data, push rogue patches to managed endpoints, disable security controls, and pivot to internal network. Confidentiality, integrity, and availability are fully compromised.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

