Control-M/Agent Security Updates for UNIX and Windows

26 August 2024

Version: Control-M/Agent 9.0.20 and higher

This security bulletin describes security updates that might require changes to the default Agent configuration.

Known Issues

The following table describes the known issues for Control-M/Agent 9.0.20 and higher.

Issue	Action
The default Agent settings allow unauthenticated remote code authentication and arbitrary file read and write privileges.	See Preventing Unauthenticated Remote Code Authentication.
A signed third-party certificate for client authentication can bypass the need for a certificate signed by the certificate authority of the organization. The Agent keystore contains signed third-party certificates and other certificates that are hardcoded in the binary file. The hardcoded third-party certificates in the binary file are only accessible when a kdb keystore is empty, and all of these certificates are expired and cannot be used by an attacker.	If you use the PKCS12 keystore, those certificates are never accessible. To determine whether the Agent utilizes a kdb or PKCS12 keystore, see Determining the Control-M/Agent Keystore Name and Type. For Agents that utilize the kdb keystore type, BMC recommends that you create and deploy a PKCS12 keystore to prevent access to the hardcoded third-party certificates in the binary file. Import the certificates issued by your organization after you remove all third-party certificates, as described in Importing Certificates Issued By Your Organization. Note This issue is relevant for Control-M/Agent version 9.0.20. Control-M/Agent 9.0.21 and higher only supports PKCS12 keystores and does not support kdb keystores.
Agents utilize the default kdb or PKCS12 keystores and the default keystore password is well known and documented.	To determine whether the Agent utilizes a kdb or PKCS12 keystore, see Determining the Control-M/Agent Keystore Name and Type. Change the password, as described in Changing Keystore Passwords. For Agents that utilize the kdb keystore type, BMC recommends that you create and deploy a PKCS12 keystore.
Permissions for the Agent SSL files, including keystore, policies, and ACL, allow read access to all users on a system.	Manage the SSL file permissions according to organizational requirements. If the Agent is set to a transient SSL/TLS connection, all users who execute an Agent utility that communicates with Control-M/Server must have read permissions for the SSL files. If the Agent is set to a persistent SSL/TLS connection, only the Agent owner must have read permissions for the SSL files. Note This issue is relevant for Control-M/Agent version 9.0.20.
Blowfish keys are hardcoded in the Agent binary files, which allows access to encrypted data.	BMC recommends that you switch to AES encryption, as described in Blowfish Encryption. Note This issue is relevant for Control-M/Agent version 9.0.20.
If you enforce the Access Control List, as described in Access Files, then the verification stops at the first NULL byte encountered in the email address referenced in the certificate.	Only trust certificates and CAs from your organization. Remove all third-party CAs from the Agent keystore. Note This issue is relevant for Control-M/Agent version 9.0.20.
After SSL/TLS communication is configured, the system checks the IP address configured by AUTHORIZED_CTM_IP only after the initial SSL/TLS handshake.	Deploy network firewalls to block remote access from untrusted computers. Note This issue is relevant for Control-M/Agent version 9.0.20.
If there is local access to the Agent, the Agent might lead to path traversal.	This issue was fixed in Control-M/Agent 9.0.20.100. See tracking number CTM-5157 in Control-M Version 9.0.200.100 Release Notes - Corrected Problems. Note This issue is relevant for Control-M/Agent version 9.0.20.000.
Local access to the Agent might result in buffer overflow.	This issue was fixed in Control-M/Agent 9.0.20.100. See tracking number CTM-4553 in Control-M Version 9.0.200.100 Release Notes - Corrected Problems. Note This issue is relevant for Control-M/Agent version 9.0.20.000.
After SSL/TLS communication is configured, a stack-based buffer overflow can be triggered when formatting an error message.	The issue occurs when the Agent SSL configuration is set to the non-default setting use_openssl=n. Change the configuration to the default setting use_openssl=y. Note This issue is relevant for Control-M/Agent version 9.0.20.
After SSL/TLS communication is configured, memory corruption might be triggered on the stack.	The issue occurs when the Agent SSL configuration is set to the non-default setting use_openssl=n. Change the configuration to the default setting use_openssl=y. Note This issue is relevant for Control-M/Agent version 9.0.20.
Permissions for the files containing Control-M/Agent keys and passwords allow read access to all users.	Manage the permissions for the following files with the Agent keys and passwords according to organizational requirements: data/PASSWRDS.dat data/keys/local.key data/keys/ctm_key.txt data/JAVACONF.dat Permissions are required for each user that utilizes the following files: data/PASSWRDS.dat: Read/Write permissions are required to change the passwords in the local Agent password repository with the ctmpwd utility. Read permissions are required to access the passwords in the local Agent password repository (for example, when the user starts up the Agent on UNIX/Linux with the start-ag command). data/keys/local.key: You must do the following: Read/Write permissions are required to change the key with the ctmagcpk utility. Read permissions are required to change passwords in the local Agent password repository with the ctmpwd utility. Read permissions are required to execute Agent utilities in Helix Control-M. Read permissions are required to execute the ctmgetccp utility. Read permissions are required for an Agent user only for the following files: data/keys/ctm_key.txt data/JAVACONF.dat Note This issue is relevant for Control-M/Agent version 9.0.20. In Control-M/Agent 9.0.21 and higher: Permission for secured files is set to 640 during a new Agent installation. There are no permission changes to existing secure files. (Linux only) A new toolbox option is available: Option 4 Agent Help Tools 2 > 3 Secret file permissions check.

Preventing Unauthenticated Remote Code Authentication

This procedure describes how to prevent unauthenticated remote code authentication.

Begin

Do one of the following:
- Enable SSL/TLS, as described in Zone 2 and 3 SSL Configuration and configure access control lists, as described in Access Files.
- Verify that your organization is IPsec, which encrypts the communication between various servers within the organization network.
Define Run as User authentication settings, as described in Adding a Run as User.
(UNIX only) Ensure that the Agent runs in non-root mode, as described in Enabling Agent for Non-Root Mode.

Importing Certificates Issued By Your Organization

Note

For Agents that utilize the kdb keystore type, BMC recommends that you create and deploy a PKCS12 keystore, as described in ctmkeytool Deployment Option.

This procedure describes how to import the certificates issued by your organization for Agents that utilize the PKCS12 keystore.

Begin

To remove all copies of third-party certificates from the keystore, do one of the following:
- If you want to retain your keystore and remove unwanted entries:
  1. Run the following command:
    keytool -list -keystore "<keystore file name>" -storepass <password> -rfc
    A list of all keystore entries appears.
  2. Locate the alias from the -list output.
    The alias must be agdn.
  3. To delete an entry, run the following command:
    keytool -delete -keystore "<keystore file name>" -storepass <password> -alias agdn
- If you want to delete the keystore file and create a new PKCS12 keystore with bring-your-own certificates, see Bringing Your Own Certificate.
To import the certificates of your organization, do one of the following:
- Run the keytool command to generate and import certificates.
- Bring your own certificate, as described in Bringing Your Own Certificate.

Changing Keystore Passwords

Note

For Agents that utilize the kdb keystore type, BMC recommends that you create and deploy a PKCS12 keystore, as described in ctmkeytool Deployment Option.

This procedure describes how to change the keystore passwords for Agents that utilize the PKCS12 keystore.

Begin

Run the following command:
keytool -storepasswd -keystore "<keystore file name>" -storepass <password> -new <new password>
Do the following:
- For Control-M/Agent version 9.0.20, do the following:
  1. To generate new password, run the following utility:
    bmcryptpw -m <key material file name> -e
    where <key material file name> is the key file for the encryption and decryption. By default, Control-M utilizes <Control-M home>/data/SSL/cert/tree.bin
  2. Type the password in the following response:
    Enter password: type the <new password>
    The new encoded password is listed:
    Encoded passwd: <new encoded password>
  3. Apply the new encoded password and the key material file name to the site policy file <Control-M home>/data/SSL/cert/site.plc (or the related Windows registry).
    Change the password key in each plc section (server, client, keystore) as follows:
    password=<new encoded password>,<key material file name>
- For Control-M/Agent version 9.0.21, do the following:
  - To encode the <new password> into the local Agent password repository, run the following command:
    ctmpwd -ACTION UPDATE -USER "*SSL_KEYSTORE" -PASSWORD "<new password>" -VERIFY N

Blowfish Encryption

Blowfish encryption utilizes the same Blowfish key for local data and sensitive data received from the Control-M/Server. Blowfish is less secure than AES encryption due to its smaller block size and fewer rounds of encryption that make it more vulnerable.

Control-M/Agent 9.0.20 enables Blowfish encryption as non-default encryption. However, BMC recommends that you switch to AES encryption with the ctmagcpk utility.

Control-M/Agent 9.0.21 and higher supports AES encryption and does not support Blowfish.

You can check for Blowfish encryption in the Agent data directory. The Agent does not utilize Blowfish encryption if the data directory contains the local.key file.

Determining the Control-M/Agent Keystore Name and Type

This procedure describes how to find the Agent keystore name and type. The keystore type is either PKS12 or kdb.

Begin

Do one of the following:
- UNIX/Linux: Open <Agent home>/ctm/data/SSL/cert/site.plc
- Windows default Agent: Open the registry in <host>\HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Agent\SecurityPolicy\site
- Windows non-default Agent: Open the registry in <host>\HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Control-M/Agent\<Agent name>\SecurityPolicy\site
Under the server section, locate the following keys:
- kdb_keystore: Reveals if the keystore type is kdb or PKCS12.
  If the keystore type exists and contains value PKCS12, the keystore type is PKCS12. If it does not exist, then the keystore type is kdb.
- Keyfile: Contains the name of the keystore file.

Control-M/Agent Security Updates for UNIX and Windows

Known Issues

Preventing Unauthenticated Remote Code Authentication

Begin

Importing Certificates Issued By Your Organization

Begin

Changing Keystore Passwords

Begin

Blowfish Encryption

Determining the Control-M/Agent Keystore Name and Type

Begin

On this page