CVE-2023-33254

Name of the Vulnerable Software and Affected Versions KACE Systems Deployment and Remote Site appliances version 9.0.146

Description There is an LDAP bind credentials exposure. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials.

Recommendations For KACE Systems Deployment and Remote Site appliances version 9.0.146, consider restricting access to the user-authentication settings to prevent attackers from specifying an attacker-controlled LDAP server. As a temporary workaround, avoid using the Test Settings button until a patch is available. Additionally, restrict the use of cleartext credentials in the authentication process to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.