Notification of critical security issue in BMC Server Automation, CVE-2016-1542, CVE-2016-1543

BMC Software is alerting users to a security problem in the RSCD agent on UNIX® and Linux platforms for all versions of BMC Server Automation, up to and including version 8.6 SP1 Patch 1, and 8.7 Patch 2, as well as in any BMC solution that includes this technology. The issue is fixed in version 8.6 SP1 Patch 2, 8.7 Patch 3, and in version 8.8.

This topic includes the following sections:

The video at right demonstrates how to apply the component template-based hotfix for this issue.

  https://www.youtube.com/watch?v=CB7I34T6pg4&feature=youtu.be

Overview

Assigned CVE-IDs: CVE-2016-1542, CVE-2016-1543

Alert

This security problem and a description of its exploitation will be disclosed publicly by a third party security research firm (ERNW GmbH) in a “Lightning Talk” at the Troopers conference in Germany on March 16th, 2016. We strongly urge you to follow the instructions in this notification as early as possible.


There is a patch available to prevent the problem from occurring in all BMC-supported versions of the RSCD agent on UNIX and Linux platforms (8.2.x, 8.3.x, 8.5.x, 8.6 - 8.6 SP1 Patch 1, and 8.7 - 8.7 P2). (see Solution).

If you use an unsupported version of the RSCD agent, you should upgrade to a supported version and apply the patch as soon as possible to avoid exposure to this security vulnerability. In the meantime. there are steps you can take to minimize your exposure prior to applying the patch (see Minimizing exposure to the problem).

If you have any questions about the problem, contact BMC Software Customer Support at 800 537 1813 (United States or Canada) or call your local support center.

Problem

A security authentication vulnerability involving unauthorized host access has been identified. This vulnerability allows remote unauthorized access to the UNIX target server by using the Remote Procedure Call (RPC) API of the RSCD Agent. Due to the severity of this vulnerability, BMC strongly recommends that customers apply the updates provided by this flash as soon as possible.

Note

The issue is fixed in BMC Server Automation 8.6 SP1 Patch 2 and in version 8.7 P3, and also in version 8.8.

In this specific case, the agents upgraded to version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server

Minimizing exposure to the problem 

To minimize your exposure prior to applying the patch, BMC recommends the following:

  • Configure the host-based firewall on systems running the RSCD agent to only accept communication from the BMC Server Automation infrastructure (Application Server, Repeater, SOCKS Proxy)
  • Route any NSH client connections through a NSH Proxy (which runs on the application server)
  • Configure any SOCKs proxies in the environment to only accept connections from the BMC Server Automation Application Server(s).

Note

Configuring the RSCD exports file to allow connections from specific hosts will not mitigate the threat.

Solution

The fix for the issue is accomplished using a BMC Server Automation Compliance Template.

Note

You need to apply the fix to all existing affected agents, as well as any new agents of impacted versions you deploy in the future.

Or, you can upgrade the agents to version 8.6 SP1 Patch 2, 8.7 Patch 3, or version 8.8, all of which contain the fix.

You can download the zip file containing the Compliance Template by following the instructions in Knowledge Article 000102932.

Note that an updated version of the original Component Template was uploaded on 11/21/2016. The updated version has V6 at the end of the file name (for example, BMCHotFixForCVE-2016-1542_CVE-2016-1543-V6.zip). Version 6 is the latest version of the fix.

See the following items to review the updates that have been added to the fix since the initial release.

V2 contains the following fixes/enhancements over the original version:

  • Checksums are now gathered via Extended Object to avoid BMC Server version 8.5.1 (pre patch 5) issues gathering the checksum.
  • Added an UNDO functionality to all BLPackages to allow the changes to be rolled-back.
  • Updated the Agent Restart logic to help avoid restart issues on some platforms including HP-UX and Solaris.

V3 contains the following additional fixes/enhancements:

  • Determine if ‘at’ is available, and use it to start the file switch and a restart value of now + 1 minute, or if not, use a ‘su –‘ command wit a sleep setting of 60 seconds.
  • Perform the copy of the files while the agent is down.
  • Directly kill the RSCD processes using logic from the version 8.5+ init script, instead of trying to call the existing init. This update was added to handle older agents that have a symlink in their install path.

V4 contains the following additional fixes/enhancements

  • Corrected issue checking "at".
  • Fix for AIX issue (QM001882081) w/ original fix libraries.
  • Exclude version 8.7 Patch 3 and 8.8 agents (which have the fix out of the box).
  • Fix issues with run_cve_fix.sh not working on AIX (quoted paths).

V5 contains the following additional fixes/enhancements

  • Excludes 8.6.01 Patch 2 from the checks as this version has the fix.

V6 contains the following additional fixes/enhancements

  • Corrected issue with the "at" check made in V4.

Frequently asked questions

  If I use authentication by certificates (x509) between the Application Server and the Agent, am I protected from this issue?
No. You must apply the fix even if you have implemented client-side certificates between Application Server and the Agent. 
  If I have configured the RSCD exports file to only allow connections from specific hosts, am I protected from this issue?
No. You must apply the fix even if you have c onfigured the RSCD exports file
  Is this security issue specific to the RSCD agent, or is there an underlying Linux/Unix issue?

This issue is specific only to the RSCD Agent on Unix and Linux platforms. Windows RSCD Agents are not affected.

  Which versions of the BMC Server Automation RSCD Agent are affected?

This issue applies to all RSCD Agent versions, up to and including version 8.6 SP1 Patch 1 and 8.7 Patch 2.

The issue is fixed in BMC Server Automation version 8.6 SP1 Patch 2, 8.7 Patch 3, and also in version 8.8.

  Which RSCD Agent versions are remediated by the provided hotfix?

All supported versions (versions 8.2 to 8.6 SP1 Patch 1, and 8.7 - 8.7 P2) are remediated by the fix.

  Why do the objects in the remediation package explicitly mention only versions 8.2.0.3 and 8.5.0.1? Do I need a separate zip file for 8.3, 8.6 and 8.7?

The single zip file handles all agent versions from 8.2 through 8.7 P2. One set of files handles agent versions 8.2.00 through 8.5.0; the other set of files handles 8.5.01 agents and above. The correct fix is automatically placed on the agent during remediation.

Credit

BMC would like to thank the researchers at ERNW GmbH for disclosing this vulnerability.

Where to go for additional information

Check the BMC Application Security community page for the latest information about this vulnerability.

If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.

BMC BladeLogic Server Automationのセキュリティ脆弱性に関する重要なご報告と解決策のご案内

Click here to download the Japanese version.

Was this page helpful? Yes No Submitting... Thank you

Comments