BSA: Notification of remote copy vulnerability in BMC Server Automation, CVE-2016-4322

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC BladeLogic Server Automation Suite


    COMPONENT:

    BMC BladeLogic Agent and NSH


    APPLIES TO:

    BMC BladeLogic Server Automation (BSA) RSCD versions prior to 8.7 P3



    PROBLEM:

     

    Problem:

       BMC Software is alerting users to a security problem in the UNIX RSCD agent for all versions of BMC Server Automation prior to version 8.7 Patch 3, as well as in any BMC solution that includes this technology.  

    Assigned CVE-ID: CVE-2016-4322
    Credit for disclosure: François Goichon from context (www.contextis.com)

      

    A security vulnerability involving all BMC Server Automation UNIX RSCD agents has been identified. 

      

    A vulnerability exists where an incoming (attacker) system can bypass the exports file access restrictions on a system with a vulnerable RSCD agent (source) and initiate a file copy from the source to a remote system running the RSCD (destination).  Note that this is a read-only vulnerability and files cannot be updated or overwritten on the destination (victim) systems.

      

    BMC believe thes score to be 6.3 (which NVD considers a medium severity). This is reflected in the following scoring vector: (AV:N/AC:M/Au:S/C:C/I:N/A:N). A successful exploit requires network access to a vulnerable remote RSCD agent. The access complexity is medium as it requires the attacker to be able to stand up a machine or have compromised a system where he or she has been able to authenticate. The attacker needs to install an RSCD agent and configure it properly. A successful exploit compromises confidentiality of files on the vulnerable machine.

      

    Terminology used in this notification

                  
                                                                    
    Attacker systemIncoming system that initiates a file copy from a vulnerable RSCD agent to a remote system that is running the RSCD.
    Source systemSystem with a vulnerable RSCD agent, which is accessed by the attacking system to initiate a file copy to the destination system.
    Destination system

    System running the RSCD agent that will receive the copied files. The destination system must;

          
           
    • Accept communication from the source system on the RSCD port.
    •      
    • Map the incoming request (which will be as the user 'root') to a local account that has write access to the destination directory specified by the attacker.
    •     

    The destination system can be a system the attacker has control over and is able to run a RSCD agent, or an existing system in the environment with poorly configured RSCD acls that allow the conditions noted above.  For example:  

          
           
    • The attacker does not control the destination system, but the destination has '* rw' in the exports file and no 'nouser' in users.  In this case any connection not matched in users or users.local will be mapped to 'nobody' it may be possible to write files to a directory such as /tmp on the destination depending on the local file system permissions.  And the attacker would be able to read these files because of the '*' in exports
    •      
    • The attacker does control a system and can install and run a RSCD agent on his system and configure the exports, users and/or users.local to allow the source system to connect.
    •     

    The attacker must also be able to access the destination system from the system used to initiate the attack to access the copied files.

      


    Conditions that allow the vulnerability

      
       
    • The conditions for the source and destination listed in the table need to be met. 
    •  
    • The attacker will copy files from the source system, directly to the destination system to a directory the attacker specifies. 
    •  
    • The attacker must then access the destination system to read the files. 
    •  
    • Due to the nature of the vulnerability, the files copied are not always the same, and it is not always possible to get specific files. For example, the attacker system may request that the entire /etc directory be copied, but only some files may be copied.
      

    Impact

      

    The issue applies only to UNIX agents prior to version 8.7.00 Patch 3. The issue does not apply to BMC Server Automation versions 8.7 Patch 3 and later, or to Microsoft Windows agents.

      

    Note the following about the vulnerability:

      
       
    • This is a read-only vulnerability and files cannot be updated or overwritten on victim machines.
    •  
    • The vulnerability applies only to UNIX RSCD agents.
    •  
    • The attacker cannot copy files to the victim system.
    •  
    • The attack is not consistently reproducible on all systems.
    •  
    • The attack cannot be performed from inside a network shell. The 'remote copy' must be initiated outside of NSH to the target/source system.
      

    BMC strongly recommends that customers take corrective action as soon as possible, either by following the workaround (see Mitigation below) or by upgrading to version 8.7 Patch 3 or later.
    For BSA 8.6 environments, the issue is resolved in 8.6.1 Patch 2 RSCD Agents.

     


    CAUSE:

    CVE-2016-4322


    SOLUTION:

     

    Mitigation

      

    To mitigate the issue in the affected versions, perform the following steps, if the conditions described in Problem exist:

      
       
    1. Modify the exports file on all targets to only accept connections from authorized hosts (for example, Application Servers, repeater servers, file servers, and so on) and not other managed servers.
    2.  
    3. Do not use '* rw,user=<anyuser>' in the exports file as this lets any connection act as <anyuser> on the system, unless further restrictions are applied in users (eg nouser).  It is still not a good practice to do a user mapping in the exports file in the event the users file for some reason does not get the nouser entry pushed.  
    4.  
    5. Do not use root rw, map=root in the users or users.local file.  Note that the root rw,map=root mapping is not a recommended configuration, and should be used only when the root user on one system is needed to be root on other UNIX systems. Because the incoming connection from the source system will be as 'root' a root, rw,map=root mapping will allow the connection.  If this mapping is required for some reason provide additional restrictions on this like like 'host=' w/ the list of hostnames the connections as root should be allowed from.  Otherwise the users.local file should only have mapping entries that serve as a fail safe to access the system.
    6.  
    7. Always push nouser in the users or users.local file. The nouser option is a special user name that denies user access to the server unless the user has an entry specifically configured in the users or users.local files.
       
      

    The above settings should prevent a system from being used as an unauthorized destination location.  The only mitigation for the source system is a host-based firewall that only allows connections from the BSA infrastructure.  There is more informatino available on the the exports, users and users.local settings.

      

    Solution

      

    Update the RSCD Agent on the affected UNIX systems to version 8.7 P3 or later (whichever version is qualified to work with your Application Server).

      

    In this specific case, the agents upgraded to version 8.7 Patch 3 are qualified to work with the version 8.7 Patch 2 Application Server.

    October 2016: For BSA 8.6.1 environments, the vulnerability is addressed in 8.6.1 Patch 2 RSCD Agents.

     


    Article Number:

    000122685


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles