Notification of Windows RSCD Agent vulnerability in BMC Server Automation, CVE-2016-5063
BMC Software is alerting users to a security problem in the RSCD agent on Microsoft Windows platforms for all versions of BMC Server Automation, up to and including version 8.7 Patch 2, as well as in any BMC solution that includes this technology.
The issue is fixed in version 8.7 Patch 3 and in version 8.8.
This topic includes the following sections:
Assigned CVE-ID: CVE-2016-5063
A security authentication vulnerability involving a Windows RSCD Agent authorization bypass flaw has been identified.
The issue exists when the exports file allows a remote system to connect to the Windows RSCD agent, and the users file does not properly enforce access restriction. A Remote Procedure Call (RPC) can be executed in this case when it should be denied by the users file access restriction.
A typical example would be an exports file that provides * rw access to a server, and a users file with the nouser option specified. In this example:
- The exports file allows the remote host to connect to the agent
- The users file would deny access to the server if it did not contain a match in users or users.local
- Then, the nouser entry in users would block further access from the remote host.
This issue does not exist on Unix RSCD agents.
BMC strongly recommends that customers take corrective action as soon as possible, either by following the workaround or by upgrading to version 8.7 P3 or version 8.8.
The issue is fixed in BMC Server Automation version 8.7 P3, and also in version 8.8.
In this specific case, the agents upgraded to version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server.
The exports file should be altered to only accept connections from authorized systems - such as the BladeLogic Server Automation Appliation Servers, Repeaters, and SOCKS Proxies.
Update the RSCD Agent on the affected systems to 8.7 P3 or 8.8 (whichever version is qualified to work with your Application Server).
Frequently Asked Questions
No, this only applies to Windows RSCD agents.
Any Windows RSCD agents before 8.7.00 Patch3 or 8.8.00
Where to go for additional information
If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.