6 Replies Latest reply: Jan 12, 2009 11:11 AM by Noah Hester RSS

    Announced Vulnerabilty in Patrol

    Dave Coupland

      regarding below...

       

      Does anyone have any additonal information?  BMC seems to have posted nothing more than a sentence stating they fixed the bug.  The release notes have tracking number QM001566075.  Is there somewhere I can see everything in this tracking number?  My concern is that I do not fully understand the vulnerability, BMC has stated to me in a support call that every one of my 1200 agents (all are 3.7.1 and below) are vulnerable.  If I have to upgrade them all, so be it, but I'd like to know the priority.  Are some more vulnerable due to others? Are internal segments more or less vulnerable than DMZ segments?  Any info would be appreciated... even opinions are welcome...

      Thanks

       

       

       

       

      BMC PATROL Agent Format String Bug Lets Remote Users Execute Arbitrary Code

      SecurityTracker Alert ID:  1021361 
      SecurityTracker URL:  http://securitytracker.com/id?1021361 
      CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site) 
      Date:  Dec 8 2008

      Impact:  Execution of arbitrary code via network, User access via network

      Fix Available:  Yes   Vendor Confirmed:  Yes  

      Version(s): prior to 3.7.30

      Description:  A vulnerability was reported in BMC PATROL. A remote user can execute arbitrary code on the target system.

      A remote user can send specially crafted data to TCP port 3181 containing format string characters to execute arbitrary code on the target system. The code will run with the privileges of the target service.

      A specially crafted version number can trigger code execution.

      The vendor was notified on May 8, 2008.

      An anonymous reported this vulnerability via TippingPoint.

      Impact:  A remote user can execute arbitrary code on the target system.

      Solution:  The vendor has issued a fixed version (3.7.30).

        • 1. Re: Announced Vulnerabilty in Patrol
          Geert De Peuter

          Hi Dave,

           

          I understand the confusion.

          The mosly likely exposure you will suffer is that indeed it is possible to remotely crash an agent when a specifically crafted payload is send to an agent.

           

          We have released agent 3.7.30 that fixes this problem.

           

          I will try to answer any question that is posted in this thread - as long as it doesn't dive into the detailed specifics of the vulerability (we don't want to start code here on "how to crash your agent") ...

           

          To answer your first question... are any agents more vulnerable than others, the answer is no: all PATROL agents with a version < 3.7.30 are vulnerable.  This problem has been present since agent version 3.0.0, but was only recently discovered.

           

          Let me know if there are any more questions

          -- Geert

          • 2. Re: Announced Vulnerabilty in Patrol
            Geert De Peuter

            I wanted to give you a bit more information

             

            A couple of "best" practices that will limit vulnerabilities are

            - Use a security level > 0

            - Implement firewall rules to control which traffic can get to the agent

             

            Hope this additional information helps

            -- Geert

            • 3. Re: Announced Vulnerabilty in Patrol
              Garland Smith

              External Knowledge Article SLN000015073377 has been created for this.
              SLN000015073377 was developed with input from senior development
              (Geert DePeuter) and development management (Dave Hardy) and can be
              shared with customers.

               

              SLN000015073377:

               

              Problem:

               

              BMC Patrol Agent Remote Format String Vulnerability.

               

              External Knowledge Article SLN000015073377 has been created for this.
              SLN000015073377 was developed with input from senior development
              (Geert DePeuter) and development management (Dave Hardy) and can be
              shared with customers.

               

              SLN000015073377:

               

              Problem:

               

              BMC Patrol Agent Remote Format String Vulnerability.

               

              Reported on bugtraq, zerodayinitiative, securitytracker, and Semantec:

               

              http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-12/msg00084.html
              http://www.zerodayinitiative.com/advisories/ZDI-08-082/
              http://securitytracker.com/alerts/2008/Dec/1021361.html

               

              This affects all PatrolAgents on all platforms.   This is related to Defect QM001566075:

              The ramification of this issue is that PATROL Agent allowed an attacker to successfully
              exploit a protocol format vulnerability by forging PATROL protocol messages to remotely crash the PATROL Agent.

               

              It may also be possible to execute arbitrary code through this vulnerability.

               

              FAQ:

               

              1) We know PatrolAgent binary is affected – but which platforms are affected?
                 The PatrolAgent binary on all platforms is affected.

               

              2) Are other products like Perform and Predict, Knowledge Modules such as OS or database
                 (Oracle, Sybase, etc) affected?

               

                 This problem is only found in the PATROL Agent binaries.

               

              Solution:

               

              To remediate this vulnerability immediately, install the PATROL Agent 3.7.30,
              which is shipped with BMC Performance Manager for Servers 2.7.00 and available
              today on supported Unix, Linux, and WIndows platforms.

               

              BMC Software is in the process of developing patches to all currently supported
              versions of the PATROL Agent - from 3.6.50 through 3.7.20 and on OpenVMS and
              iSeries.  Contact BMC Support to inquire about availability for a particular
              patch version.

               

              Things you can do to secure your environment before you patch or upgrade your Agent:

               

              * Firewall rules limiting which servers can connect to the agent port (default is 3181)
                would limit the number of servers in the environment that could be used to launch an
                attack

               

              * Ensuring that Agents are running at security level 1 or higher further reduces the
                risk of an effective exploit

               

              Thanks,

               

              GarlandSmith



              • 4. Re: Announced Vulnerabilty in Patrol
                Dave Coupland

                Thanks Geert.

                • 5. Re: Announced Vulnerabilty in Patrol
                  Garland Smith

                   

                  The following text has been added to Knowledge Article 20007188:

                   

                  The patch to correct PatrolAgent Format Vulnerability can be located

                  at ftp.bmc.com under pub/patrol/patches/P_AGENT/<OS>/<patch>.

                   

                  Use anonymous to login to ftp.bmc.com (username=anonymous, password=e-mail address):

                  ftp ftp.bmc.com

                  username=anonymous

                  passwd=e-mail address

                  cd pub/patrol/patches

                   

                  A readme file is provided for each patch. The readme file will contain details

                  about the patch, PatrolAgent version for which the patch is applicable, and

                  instructions to install the patch. Each patch includes a Unix tar file and

                  Windows zip file for extraction/installation.

                   

                  The patches are organized by operating system under the following directory hierarchy:

                   

                  OS400 PATCH 3.7.21.01 supercedes 3.7.20 PatrolAgent on OS400:

                   

                  patrol_os400

                  patrol_os400/3.7.21.01

                  patrol_os400/3.7.21.01/Windows

                  patrol_os400/3.7.21.01/Windows/PAA_ALL_372101.zip

                  patrol_os400/3.7.21.01/Unix

                  patrol_os400/3.7.21.01/Unix/PAA_ALL_372101.tar

                  patrol_os400/3.7.21.01/372101PatchReadme.html

                   

                  Unix patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on Unix:

                   

                  patrol_unix/3.7.00.02

                  patrol_unix/3.7.00.02/Unix

                  patrol_unix/3.7.00.02/Unix/PIA_ALL_370002.tar

                  patrol_unix/3.7.00.02/Windows

                  patrol_unix/3.7.00.02/Windows/PIA_ALL_370002.zip

                  patrol_unix/3.7.00.02/PIA_370002_Readme.txt

                   

                  Unix patch 3.7.20.02 supercedes 3.7.10 and 3.7.20 PatrolAgent on Unix:

                   

                  patrol_unix/3.7.20.02

                  patrol_unix/3.7.20.02/Unix

                  patrol_unix/3.7.20.02/Unix/PIA_ALL_372002.tar

                  patrol_unix/3.7.20.02/Windows

                  patrol_unix/3.7.20.02/Windows/PIA_ALL_372002.zip

                  patrol_unix/3.7.20.02/PIA_372002_Readme.txt

                   

                  OpenVMS patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on OpenVMS:

                   

                  patrol_vms/3.7.00.02

                  patrol_vms/3.7.00.02/Unix

                  patrol_vms/3.7.00.02/Unix/PIA_ALL_370002.tar

                  patrol_vms/3.7.00.02/Windows

                  patrol_vms/3.7.00.02/Windows/PIA_ALL_370002.zip

                  patrol_vms/3.7.00.02/370002PatchReadme.html

                   

                  OpenVMS patch 3.7.10.01 supercedes 3.7.10 PatrolAgent on OpenVMS:

                   

                  patrol_vms/3.7.10.01

                  patrol_vms/3.7.10.01/Unix

                  patrol_vms/3.7.10.01/Unix/PIA_ALL_371001.tar

                  patrol_vms/3.7.10.01/Windows

                  patrol_vms/3.7.10.01/Windows/PIA_ALL_371001.zip

                  patrol_vms/3.7.10.01/371001PatchReadme.html

                   

                  Windows patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on Windows:

                   

                  patrol_windows/3.7.00.02

                  patrol_windows/3.7.00.02/Unix

                  patrol_windows/3.7.00.02/Unix/PIA_ALL_370002.tar

                  patrol_windows/3.7.00.02/Windows

                  patrol_windows/3.7.00.02/Windows/PIA_ALL_370002.zip

                  patrol_windows/3.7.00.02/PIA_370002_Readme.txt

                   

                  Windows patch 3.7.20.02 supercedes 3.7.10 and 3.7.20 PatrolAgent on Windows:

                   

                  patrol_windows/3.7.20.02

                  patrol_windows/3.7.20.02/Unix

                  patrol_windows/3.7.20.02/Unix/PIA_WINDOWS_372002.tar

                  patrol_windows/3.7.20.02/Windows

                  patrol_windows/3.7.20.02/Windows/PIA_WINDOWS_372002.zip

                  patrol_windows/3.7.20.02/PIA_372002_Readme.txt

                   

                  Patch Version 3.6.70.02 (for 3.6.70, 3.6.60, and 3.6.50 PatrolAgent releases and

                  3.6.00.94 (for 3.6.00 PatrolAgent release) are in progress. These patches will be

                  added to the ftp site under the respective OS when they are available.

                   



                  • 6. Re: Announced Vulnerabilty in Patrol
                    Noah Hester

                    Regarding changing the security level below is my question to BMC Support and their answer.

                     

                     

                     

                    Today we are at security level 0 and we use BMC Perform/Predict on every server.

                     

                    On page 3 of the PATROL Agent Flash document it suggests that we consider running at a security level 1 or higher.

                     

                    To secure your environment before you patch or upgrade your PATROL Agent, BMC

                    highly recommends that you take the following precautions:

                     

                    ·        Implement Firewall rules and IP/hostname-based Access Control Lists to limit

                    which servers can connect to the agent port (the default is 3181). This limits the

                    number of servers in the environment that an intruder can use to launch an attack.

                     

                    ·        Ensure that the PATROL Agents are running at security level 1 or higher. Raising

                    the security level greatly reduces the risk of an effective exploit.

                     

                    On page 55 of the PATROL Security User Guide (28-Feb-2005) there is the screen shot (see below) that suggests that if you select any advanced security level you will disable network communication between PATROL Performance Manager and Perform.

                     

                    Page55_SecurityUserGuide.bmp

                     

                     

                    Does that mean we will essentially break Perform and Predict?  If not what does that mean?

                     

                     

                     

                    BMC's reply:

                     

                     

                    Please let me know if you are going to increase the security level in a Patrol Perform integrated environment or are planning to use higher security level during installation time.

                     

                    When the PATROL and Perform products are installed together if you select a Security Level at install time greater than 0 that would cause problems for the Perform product because Perform only has two security modes - Basic Security (Level 0) which provides full product functionality and Advanced Security (Level 1+) which removes and Perform binary that can communicate over the network and replaces it with a substitute that has no network capabilities.

                     

                    If you were to increase the PATROL Security Level after the product is installed that wouldn't cause a problem for Perform since that wouldn't change the Perform product security level. The Perform product's security level would only be changed if the /[Installation Directory]/Patrol3/.b1configVVVV.sav file was updated to put Perform into Advanced security and the b1configVVVV.sh script was re-run (something that would likely only happen at install time).

                     

                    If you are planning to manually increasing the PATROL security level there shouldn't be any issues, however, if this will be implemented for new installations this will likely be an issue and custom steps would be required to be added.

                     

                    It would be recommended that you test either method you are choosing in a lab environment to see if there is any impact - if the change do not break the Perform binaries in the lab then the results should be expected to be consistent wherever they would be applied.