Comments

• According to Console Cowboys, who found the vulnerability, everyone with 5.5 or 5.4 is at risk.
  
  http://console-cowboys.blogspot.com.au/2014/03/the-curious-case-of-ninjamonkeypiratela.html - Jalvey74 10 years ago
• KACE support should be sending an email blast out to all users. This vulnerability is big deal and can give full access to the exploiter. Patch immediately. It did not require a reboot for us. - Jalvey74 10 years ago
• It's listed in bold under support news article in the appliance - ms01ak 10 years ago
  • Thanks for pointing it out. I didnt even see it. But I agree with the OP they should be blasting us with emails that its available.
    And this does not help me either I am on 5.4 - which means I have no choice but to upgrade. I was just worried about all the issues that people have had with 5.5. - bozadmin 10 years ago
    • Supposedly they sent emails to customers on March 11th, but we didn't get one. - tmashos 10 years ago
• Where is that hotfix? I cannot believe its taking them this long to patch this vulnerability and all they are saying is dont put your appliance on the internet. Some of us have no choice we use our heldepsk heavily and our user need to be able to submit tickets. - bozadmin 10 years ago
• The hotfix for 5.4 has been updated in this article: http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL121792
  5.5 and 5.4 hotfixes are listed. - KACE_Mary 10 years ago
• Did the hacker report this with kace ? The " if they weren't working on a patch for this - they are now." statement isn't clear about this ? - KevinF 10 years ago
• From that writeup on console-cowboys, the attackers gain root access to the appliance. IMO, once that happens it's game over and we wipe the box. You just can't trust that box again.
  
  Now if only Kace would tell us what other access one could obtain from having root access on the K1000. - tmashos 10 years ago
• Our K1000 has been compromised. Our agents weren't checking in, but their AMP connections were still active. You can download and install this kbin to see if your K1000 has been compromised:
  
  (The tool previously linked is not authorized for general distribution. Contact KACE support for access)
  
  The attacker installed some kind of Bitcoin miner on our system. After I blocked incoming/outgoing connections in our firewall to their IP address the KBOX agents starting checking in normally again. - jz989 10 years ago
  • Also how does that detect kbin work? What output do you get? - Jbr32 10 years ago
    • It seems to run a general sweep on the system to detect the exploit, then dumps a log file to the smb client share. KACE had me tether our KBOX with support and one of their engineers went through and cleaned things out and made sure our system was patched. - jz989 10 years ago
  • Jz any chance your attack came from the republic of Malta? Our k1000 was turned into a toaster (I mean a bit coin mining machine). We traced the source back to Malta. Just curious. - Jbr32 10 years ago
    • Yeah!
      
      inetnum: 194.1.247.0 - 194.1.247.255
      netname: INTGAMBLING-NET
      descr: Int Gambling Ltd
      country: MT - jz989 10 years ago
    • mostly also a compromised system which was used for distribution. - Nico_K 10 years ago
• Note a roll up hotfix is now available for v5.5 that addresses the security vulnerability and some less serious ones for which public responses/mitigation suggestions had already been previously announced. See http://www.itninja.com/link/k1000-5-5-90548 - bkelly 10 years ago