Notification of Windows RSCD Agent vulnerability in BMC Server Automation, CVE-2016-5063

BMC Software is alerting users to a security problem in the RSCD agent on Microsoft Windows platforms for all versions of BMC Server Automation, up to and including version 8.7 Patch 2, as well as in any BMC solution that includes this technology.

The issue is fixed in version 8.7 Patch 3 and in version 8.8.

This topic includes the following sections:

Problem

Assigned CVE-ID: CVE-2016-5063

A security authentication vulnerability involving a Windows RSCD Agent authorization bypass flaw has been identified. 

The issue exists when the exports file allows a remote system to connect to the Windows RSCD agent, and the users file does not properly enforce access restriction. A Remote Procedure Call (RPC) can be executed in this case when it should be denied by the users file access restriction.

A typical example would be an exports file that provides * rw access to a server, and a users file with the nouser option specified. In this example:

  • The exports file allows the remote host to connect to the agent
  • The users file would deny access to the server if it did not contain a match in users or users.local
  • Then, the nouser entry in users would block further access from the remote host.

This issue does not exist on Unix RSCD agents.

BMC strongly recommends that customers take corrective action as soon as possible, either by following the workaround or by upgrading to version 8.7 P3 or version 8.8.

Note

The issue is fixed in BMC Server Automation version 8.7 P3, and also in version 8.8.

In this specific case, the agents upgraded to version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server.

Mitigation

The exports file should be altered to only accept connections from authorized systems - such as the BladeLogic Server Automation Appliation Servers, Repeaters, and SOCKS Proxies.

Solution

Update the RSCD Agent on the affected systems to 8.7 P3 or 8.8 (whichever version is qualified to work with your Application Server).

Frequently Asked Questions

 Does this apply to UNIX RSCD Agents?

 No, this only applies to Windows RSCD agents.

 What Agent versions does this apply to?

Any Windows RSCD agents before 8.7.00 Patch3 or 8.8.00

 

Where to go for additional information

If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.



Was this page helpful? Yes No Submitting... Thank you

Comments