Notification of Windows RSCD Agent vulnerability in BMC Server Automation CVE-2016-5063
BMC Software is alerting users to a security problem in the RSCD agent on Microsoft Windows platforms for all versions of BMC Server Automation, up to and including version 8.6 SP1 Patch 1 and 8.7 Patch 2, as well as in any BMC solution that includes this technology.
The issue is fixed in version 8.6 SP1 Patch 2, 8.7 Patch 3, and in version 8.8 and later.
This topic includes the following sections:
Assigned CVE-ID: CVE-2016-5063
A security authentication vulnerability involving a Windows RSCD Agent authorization bypass flaw has been identified.
The issue exists when the exports file allows a remote system to connect to the Windows RSCD agent, and the users file does not properly enforce access restriction. A Remote Procedure Call (RPC) can be executed in this case when it should be denied by the users file access restriction.
A typical example would be an exports file that provides * rw access to a server, and a users file with the nouser option specified. In this example:
- The exports file allows the remote host to connect to the agent
- The users file would deny access to the server if it did not contain a match in users or users.local
- Then, the nouser entry in users would block further access from the remote host.
This issue does not exist on UNIX RSCD agents.
BMC strongly recommends that customers take corrective action as soon as possible, either by following the workaround (see Mitigation) or by upgrading to version 8.6 SP1 Patch 2, 8.7 Patch 3, or version 8.8.
The issue is fixed in BMC Server Automation version 8.6 SP1 Patch 2, 8.7 Patch 3, and also in version 8.8.
In this specific case, the agents upgraded to:
- Version 8.6 SP1 Patch 2 are qualified to work with the version 8.6 SP1 Patch 1 Application Server.
- Version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server.
The exports file should be altered to only accept connections from authorized systems - such as the BladeLogic Server Automation Application Servers, Repeaters, and SOCKS Proxies.
Update the RSCD Agent on the affected systems to 8.6 SP1 Patch 2, 8.7 Patch 3, or 8.8 (whichever version is qualified to work with your Application Server).
Frequently Asked Questions
No, this only applies to Windows RSCD agents.
Any Windows RSCD agents before 8.6 SP1 Patch 2, 8.7.00 Patch 3, or 8.8.00
Where to go for additional information
If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center.