[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation
- From: ZeroDay <zeroday@xxxxxxxxxxxxxxx>
- Date: Sun, 4 Sep 2016 23:49:37 +0000
Title: Unauthenticated Arbitrary Directory
Dump in BMC BladeLogic Server Automation
Affected Software: BMC BladeLogic Server Automation for Linux <= 8.7
CVSSv2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Reference: CVE-2016-4322
Author: François Goichon of Context Information
Security
1. Product Information
===========================
BMC BladeLogic Server Automation (BSA) is an enterprise management solution,
which allows its customers to quickly and securely provision, configure, patch,
and maintain physical, virtual, and cloud servers.
It is available for Linux and Windows and runs as a privileged network daemon
on the supervised servers.
For more information, please refer to
http://www.bmcsoftware.com.au/it-solutions/bladelogic-server-automation.html
2. Vulnerability Summary
===========================
A logic flaw in the authentication process of BSA's network daemon (rscd) could
allow a remote attacker to execute several commands without providing a valid
client certificate or valid credentials.
Amongst the affected commands, the REMOTE_COPY_DIRECTORY feature performs a
recursive dump of an arbitrary directory, with the daemon's privileges (root).
This could allow an attacker to retrieve any file from the remote system, e.g.
/etc/shadow.
3. Remediation Steps
===========================
It is recommended to upgrade your BSA <= 8.7 for Linux installation by
performing one of the following:
- Apply BSA 8.7 Patch 3
- Upgrade to BSA >= 8.8
These downloads are available on BMC's Electronic Product Distribution website
at http://www.bmc.com/available/epd.html
4. Disclosure Timeline
===========================
02/04/2016: Vendor notified
05/04/2016: Vulnerability confirmed
06/05/2016: Fix available for BSA 8.7
14/06/2016: BSA 8.8, containing a fix for CVE-2016-4322, is released
05/09/2016: Coordinated public disclosure
Security Research - Context Information Security
[Context Logo email]<http://www.contextis.com/>
www.contextis.com<http://www.contextis.com/> [Twitter-logo-bw-24x24]
<https://twitter.com/CTXIS> [LinkedIn-logo-bw-24x24]
<http://www.linkedin.com/company/context-information-security?trk=biz-companies-cym>
ABN: 73 148 201 727 | Certified to ISO/IEC 27001:2013 (BSI Certificate IS
553326) and ISO 9001:2008 (BSI Certificate FS 581360)
________________________________
The information contained in this email and any attachments may be legally
privileged and confidential. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited. If you are
not the intended recipient please contact us immediately. Any views or opinions
presented in this email are solely those of the author and do not necessarily
represent those of the company.
________________________________
<html><head><meta charset="windows-1252"></head><body><pre style="word-wrap:
break-word; white-space: pre-wrap;">Title: Unauthenticated
Arbitrary Directory Dump in BMC BladeLogic Server Automation
Affected Software: BMC BladeLogic Server Automation for Linux <= 8.7
CVSSv2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Reference: CVE-2016-4322
Author: François Goichon of Context Information Security
1. Product Information
===========================
BMC BladeLogic Server Automation (BSA) is an enterprise management solution,
which allows its customers to quickly and securely provision, configure, patch,
and maintain physical, virtual, and cloud servers.
It is available for Linux and Windows and runs as a privileged network daemon
on the supervised servers.
For more information, please refer to
http://www.bmcsoftware.com.au/it-solutions/bladelogic-server-automation.html
2. Vulnerability Summary
===========================
A logic flaw in the authentication process of BSA's network daemon (rscd) could
allow a remote attacker to execute several commands without providing a valid
client certificate or valid credentials.
Amongst the affected commands, the REMOTE_COPY_DIRECTORY feature performs a
recursive dump of an arbitrary directory, with the daemon's privileges (root).
This could allow an attacker to retrieve any file from the remote system, e.g.
/etc/shadow.
3. Remediation Steps
===========================
It is recommended to upgrade your BSA <= 8.7 for Linux installation by
performing one of the following:
- Apply BSA 8.7 Patch 3
- Upgrade to BSA >= 8.8
These downloads are available on BMC's Electronic Product Distribution website
at http://www.bmc.com/available/epd.html
4. Disclosure Timeline
===========================
02/04/2016: Vendor notified
05/04/2016: Vulnerability confirmed
06/05/2016: Fix available for BSA 8.7
14/06/2016: BSA 8.8, containing a fix for CVE-2016-4322, is released
05/09/2016: Coordinated public disclosure
</pre></body></html>