Notification of critical security issue in BMC Server Automation, CVE-2016-1542, CVE-2016-1543
BMC Software is alerting users to a security problem in the RSCD agent on UNIX® and Linux platforms for all versions of BMC Server Automation, up to and including version 8.6 SP1 Patch 1, and 8.7 Patch 2, as well as in any BMC solution that includes this technology. The issue is fixed in version 8.6 SP1 Patch 2, 8.7 Patch 3, and in version 8.8.
This topic includes the following sections:
The video at right demonstrates how to apply the component template-based hotfix for this issue.
Assigned CVE-IDs: CVE-2016-1542, CVE-2016-1543
This security problem and a description of its exploitation will be disclosed publicly by a third party security research firm (ERNW GmbH) in a “Lightning Talk” at the Troopers conference in Germany on March 16th, 2016. We strongly urge you to follow the instructions in this notification as early as possible.
There is a patch available to prevent the problem from occurring in all BMC-supported versions of the RSCD agent on UNIX and Linux platforms (8.2.x, 8.3.x, 8.5.x, 8.6 - 8.6 SP1 Patch 1, and 8.7 - 8.7 P2). (see Solution).
If you use an unsupported version of the RSCD agent, you should upgrade to a supported version and apply the patch as soon as possible to avoid exposure to this security vulnerability. In the meantime. there are steps you can take to minimize your exposure prior to applying the patch (see Minimizing exposure to the problem).
If you have any questions about the problem, contact BMC Software Customer Support at 800 537 1813 (United States or Canada) or call your local support center.
A security authentication vulnerability involving unauthorized host access has been identified. This vulnerability allows remote unauthorized access to the UNIX target server by using the Remote Procedure Call (RPC) API of the RSCD Agent. Due to the severity of this vulnerability, BMC strongly recommends that customers apply the updates provided by this flash as soon as possible.
The issue is fixed in BMC Server Automation 8.6 SP1 Patch 2 and in version 8.7 P3, and also in version 8.8.
In this specific case, the agents upgraded to version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server
Minimizing exposure to the problem
To minimize your exposure prior to applying the patch, BMC recommends the following:
- Configure the host-based firewall on systems running the RSCD agent to only accept communication from the BMC Server Automation infrastructure (Application Server, Repeater, SOCKS Proxy)
- Route any NSH client connections through a NSH Proxy (which runs on the application server)
- Configure any SOCKs proxies in the environment to only accept connections from the BMC Server Automation Application Server(s).
Configuring the RSCD exports file to allow connections from specific hosts will not mitigate the threat.
The fix for the issue is accomplished using a BMC Server Automation Compliance Template.
You need to apply the fix to all existing affected agents, as well as any new agents of impacted versions you deploy in the future.
Or, you can upgrade the agents to version 8.6 SP1 Patch 2, 8.7 Patch 3, or version 8.8, all of which contain the fix.
You can download the zip file containing the Compliance Template by following the instructions in Knowledge Article 000102932.
Note that an updated version of the original Component Template was uploaded on 11/21/2016. The updated version has V6 at the end of the file name (for example, BMCHotFixForCVE-2016-1542_CVE-2016-1543-V6.zip). Version 6 is the latest version of the fix.
See the following items to review the updates that have been added to the fix since the initial release.
V2 contains the following fixes/enhancements over the original version:
- Checksums are now gathered via Extended Object to avoid BMC Server version 8.5.1 (pre patch 5) issues gathering the checksum.
- Added an UNDO functionality to all BLPackages to allow the changes to be rolled-back.
- Updated the Agent Restart logic to help avoid restart issues on some platforms including HP-UX and Solaris.
V3 contains the following additional fixes/enhancements:
- Determine if ‘at’ is available, and use it to start the file switch and a restart value of now + 1 minute, or if not, use a ‘su –‘ command wit a sleep setting of 60 seconds.
- Perform the copy of the files while the agent is down.
- Directly kill the RSCD processes using logic from the version 8.5+ init script, instead of trying to call the existing init. This update was added to handle older agents that have a symlink in their install path.
V4 contains the following additional fixes/enhancements
- Corrected issue checking "at".
- Fix for AIX issue (QM001882081) w/ original fix libraries.
- Exclude version 8.7 Patch 3 and 8.8 agents (which have the fix out of the box).
- Fix issues with run_cve_fix.sh not working on AIX (quoted paths).
V5 contains the following additional fixes/enhancements
- Excludes 8.6.01 Patch 2 from the checks as this version has the fix.
V6 contains the following additional fixes/enhancements
- Corrected issue with the "at" check made in V4.
Frequently asked questions
This issue is specific only to the RSCD Agent on Unix and Linux platforms. Windows RSCD Agents are not affected.
This issue applies to all RSCD Agent versions, up to and including version 8.6 SP1 Patch 1 and 8.7 Patch 2.
The issue is fixed in BMC Server Automation version 8.6 SP1 Patch 2, 8.7 Patch 3, and also in version 8.8.
All supported versions (versions 8.2 to 8.6 SP1 Patch 1, and 8.7 - 8.7 P2) are remediated by the fix.
The single zip file handles all agent versions from 8.2 through 8.7 P2. One set of files handles agent versions 8.2.00 through 8.5.0; the other set of files handles 8.5.01 agents and above. The correct fix is automatically placed on the agent during remediation.
BMC would like to thank the researchers at ERNW GmbH for disclosing this vulnerability.
Where to go for additional information
Check the BMC Application Security community page for the latest information about this vulnerability.
If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.
BMC BladeLogic Server Automationのセキュリティ脆弱性に関する重要なご報告と解決策のご案内
Click here to download the Japanese version.