Notification of Windows RSCD Agent vulnerability in BMC Server Automation CVE-2016-5063

BMC Software is alerting users to a security problem in the RSCD agent on Microsoft Windows platforms for all versions of BMC Server Automation, up to and including version 8.6 SP1 Patch 1 and 8.7 Patch 2, as well as in any BMC solution that includes this technology.

The issue is fixed in version 8.6 SP1 Patch 2, 8.7 Patch 3, and in version 8.8 and later.

This topic includes the following sections:

Problem

Assigned CVE-ID: CVE-2016-5063

A security authentication vulnerability involving a Windows RSCD Agent authorization bypass flaw has been identified. 

The issue exists when the exports file allows a remote system to connect to the Windows RSCD agent, and the users file does not properly enforce access restriction. A Remote Procedure Call (RPC) can be executed in this case when it should be denied by the users file access restriction.

A typical example would be an exports file that provides * rw access to a server, and a users file with the nouser option specified. In this example:

  • The exports file allows the remote host to connect to the agent
  • The users file would deny access to the server if it did not contain a match in users or users.local
  • Then, the nouser entry in users would block further access from the remote host.

This issue does not exist on UNIX RSCD agents.

BMC strongly recommends that customers take corrective action as soon as possible, either by following the workaround (see Mitigation) or by upgrading to version 8.6 SP1 Patch 2, 8.7 Patch 3, or version 8.8.

Note

The issue is fixed in BMC Server Automation version 8.6 SP1 Patch 2, 8.7 Patch 3, and also in version 8.8.

In this specific case, the agents upgraded to:

  • Version 8.6 SP1 Patch 2 are qualified to work with the version 8.6 SP1 Patch 1 Application Server.
  • Version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server.

Mitigation

The exports file should be altered to only accept connections from authorized systems - such as the BladeLogic Server Automation Application Servers, Repeaters, and SOCKS Proxies.

Solution

Update the RSCD Agent on the affected systems to 8.6 SP1 Patch 2, 8.7 Patch 3, or 8.8 (whichever version is qualified to work with your Application Server).

Frequently Asked Questions

 Does this apply to UNIX RSCD Agents?

 No, this only applies to Windows RSCD agents.

 What Agent versions does this apply to?

Any Windows RSCD agents before 8.6 SP1 Patch 2, 8.7.00 Patch 3, or 8.8.00

Where to go for additional information

If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.

Was this page helpful? Yes No Submitting... Thank you

Comments