6 Replies Latest reply: Jan 12, 2009 11:11 AM by Noah Hester RSS

Announced Vulnerabilty in Patrol

DaveCoup

regarding below...

 

Does anyone have any additonal information?  BMC seems to have posted nothing more than a sentence stating they fixed the bug.  The release notes have tracking number QM001566075.  Is there somewhere I can see everything in this tracking number?  My concern is that I do not fully understand the vulnerability, BMC has stated to me in a support call that every one of my 1200 agents (all are 3.7.1 and below) are vulnerable.  If I have to upgrade them all, so be it, but I'd like to know the priority.  Are some more vulnerable due to others? Are internal segments more or less vulnerable than DMZ segments?  Any info would be appreciated... even opinions are welcome...

Thanks

 

 

 

 

BMC PATROL Agent Format String Bug Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID:  1021361 
SecurityTracker URL:  http://securitytracker.com/id?1021361 
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site) 
Date:  Dec 8 2008

Impact:  Execution of arbitrary code via network, User access via network

Fix Available:  Yes   Vendor Confirmed:  Yes  

Version(s): prior to 3.7.30

Description:  A vulnerability was reported in BMC PATROL. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to TCP port 3181 containing format string characters to execute arbitrary code on the target system. The code will run with the privileges of the target service.

A specially crafted version number can trigger code execution.

The vendor was notified on May 8, 2008.

An anonymous reported this vulnerability via TippingPoint.

Impact:  A remote user can execute arbitrary code on the target system.

Solution:  The vendor has issued a fixed version (3.7.30).

  • 1. Re: Announced Vulnerabilty in Patrol
    Geert De Peuter

    Hi Dave,

     

    I understand the confusion.

    The mosly likely exposure you will suffer is that indeed it is possible to remotely crash an agent when a specifically crafted payload is send to an agent.

     

    We have released agent 3.7.30 that fixes this problem.

     

    I will try to answer any question that is posted in this thread - as long as it doesn't dive into the detailed specifics of the vulerability (we don't want to start code here on "how to crash your agent") ...

     

    To answer your first question... are any agents more vulnerable than others, the answer is no: all PATROL agents with a version < 3.7.30 are vulnerable.  This problem has been present since agent version 3.0.0, but was only recently discovered.

     

    Let me know if there are any more questions

    -- Geert

  • 2. Re: Announced Vulnerabilty in Patrol
    Geert De Peuter

    I wanted to give you a bit more information

     

    A couple of "best" practices that will limit vulnerabilities are

    - Use a security level > 0

    - Implement firewall rules to control which traffic can get to the agent

     

    Hope this additional information helps

    -- Geert

  • 3. Re: Announced Vulnerabilty in Patrol
    Garland Smith

    External Knowledge Article SLN000015073377 has been created for this.
    SLN000015073377 was developed with input from senior development
    (Geert DePeuter) and development management (Dave Hardy) and can be
    shared with customers.

     

    SLN000015073377:

     

    Problem:

     

    BMC Patrol Agent Remote Format String Vulnerability.

     

    External Knowledge Article SLN000015073377 has been created for this.
    SLN000015073377 was developed with input from senior development
    (Geert DePeuter) and development management (Dave Hardy) and can be
    shared with customers.

     

    SLN000015073377:

     

    Problem:

     

    BMC Patrol Agent Remote Format String Vulnerability.

     

    Reported on bugtraq, zerodayinitiative, securitytracker, and Semantec:

     

    http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-12/msg00084.html
    http://www.zerodayinitiative.com/advisories/ZDI-08-082/
    http://securitytracker.com/alerts/2008/Dec/1021361.html

     

    This affects all PatrolAgents on all platforms.   This is related to Defect QM001566075:

    The ramification of this issue is that PATROL Agent allowed an attacker to successfully
    exploit a protocol format vulnerability by forging PATROL protocol messages to remotely crash the PATROL Agent.

     

    It may also be possible to execute arbitrary code through this vulnerability.

     

    FAQ:

     

    1) We know PatrolAgent binary is affected – but which platforms are affected?
       The PatrolAgent binary on all platforms is affected.

     

    2) Are other products like Perform and Predict, Knowledge Modules such as OS or database
       (Oracle, Sybase, etc) affected?

     

       This problem is only found in the PATROL Agent binaries.

     

    Solution:

     

    To remediate this vulnerability immediately, install the PATROL Agent 3.7.30,
    which is shipped with BMC Performance Manager for Servers 2.7.00 and available
    today on supported Unix, Linux, and WIndows platforms.

     

    BMC Software is in the process of developing patches to all currently supported
    versions of the PATROL Agent - from 3.6.50 through 3.7.20 and on OpenVMS and
    iSeries.  Contact BMC Support to inquire about availability for a particular
    patch version.

     

    Things you can do to secure your environment before you patch or upgrade your Agent:

     

    * Firewall rules limiting which servers can connect to the agent port (default is 3181)
      would limit the number of servers in the environment that could be used to launch an
      attack

     

    * Ensuring that Agents are running at security level 1 or higher further reduces the
      risk of an effective exploit

     

    Thanks,

     

    GarlandSmith



  • 4. Re: Announced Vulnerabilty in Patrol
    DaveCoup

    Thanks Geert.

  • 5. Re: Announced Vulnerabilty in Patrol
    Garland Smith

     

    The following text has been added to Knowledge Article 20007188:

     

    The patch to correct PatrolAgent Format Vulnerability can be located

    at ftp.bmc.com under pub/patrol/patches/P_AGENT/<OS>/<patch>.

     

    Use anonymous to login to ftp.bmc.com (username=anonymous, password=e-mail address):

    ftp ftp.bmc.com

    username=anonymous

    passwd=e-mail address

    cd pub/patrol/patches

     

    A readme file is provided for each patch. The readme file will contain details

    about the patch, PatrolAgent version for which the patch is applicable, and

    instructions to install the patch. Each patch includes a Unix tar file and

    Windows zip file for extraction/installation.

     

    The patches are organized by operating system under the following directory hierarchy:

     

    OS400 PATCH 3.7.21.01 supercedes 3.7.20 PatrolAgent on OS400:

     

    patrol_os400

    patrol_os400/3.7.21.01

    patrol_os400/3.7.21.01/Windows

    patrol_os400/3.7.21.01/Windows/PAA_ALL_372101.zip

    patrol_os400/3.7.21.01/Unix

    patrol_os400/3.7.21.01/Unix/PAA_ALL_372101.tar

    patrol_os400/3.7.21.01/372101PatchReadme.html

     

    Unix patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on Unix:

     

    patrol_unix/3.7.00.02

    patrol_unix/3.7.00.02/Unix

    patrol_unix/3.7.00.02/Unix/PIA_ALL_370002.tar

    patrol_unix/3.7.00.02/Windows

    patrol_unix/3.7.00.02/Windows/PIA_ALL_370002.zip

    patrol_unix/3.7.00.02/PIA_370002_Readme.txt

     

    Unix patch 3.7.20.02 supercedes 3.7.10 and 3.7.20 PatrolAgent on Unix:

     

    patrol_unix/3.7.20.02

    patrol_unix/3.7.20.02/Unix

    patrol_unix/3.7.20.02/Unix/PIA_ALL_372002.tar

    patrol_unix/3.7.20.02/Windows

    patrol_unix/3.7.20.02/Windows/PIA_ALL_372002.zip

    patrol_unix/3.7.20.02/PIA_372002_Readme.txt

     

    OpenVMS patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on OpenVMS:

     

    patrol_vms/3.7.00.02

    patrol_vms/3.7.00.02/Unix

    patrol_vms/3.7.00.02/Unix/PIA_ALL_370002.tar

    patrol_vms/3.7.00.02/Windows

    patrol_vms/3.7.00.02/Windows/PIA_ALL_370002.zip

    patrol_vms/3.7.00.02/370002PatchReadme.html

     

    OpenVMS patch 3.7.10.01 supercedes 3.7.10 PatrolAgent on OpenVMS:

     

    patrol_vms/3.7.10.01

    patrol_vms/3.7.10.01/Unix

    patrol_vms/3.7.10.01/Unix/PIA_ALL_371001.tar

    patrol_vms/3.7.10.01/Windows

    patrol_vms/3.7.10.01/Windows/PIA_ALL_371001.zip

    patrol_vms/3.7.10.01/371001PatchReadme.html

     

    Windows patch 3.7.00.02 supercedes 3.7.00 PatrolAgent on Windows:

     

    patrol_windows/3.7.00.02

    patrol_windows/3.7.00.02/Unix

    patrol_windows/3.7.00.02/Unix/PIA_ALL_370002.tar

    patrol_windows/3.7.00.02/Windows

    patrol_windows/3.7.00.02/Windows/PIA_ALL_370002.zip

    patrol_windows/3.7.00.02/PIA_370002_Readme.txt

     

    Windows patch 3.7.20.02 supercedes 3.7.10 and 3.7.20 PatrolAgent on Windows:

     

    patrol_windows/3.7.20.02

    patrol_windows/3.7.20.02/Unix

    patrol_windows/3.7.20.02/Unix/PIA_WINDOWS_372002.tar

    patrol_windows/3.7.20.02/Windows

    patrol_windows/3.7.20.02/Windows/PIA_WINDOWS_372002.zip

    patrol_windows/3.7.20.02/PIA_372002_Readme.txt

     

    Patch Version 3.6.70.02 (for 3.6.70, 3.6.60, and 3.6.50 PatrolAgent releases and

    3.6.00.94 (for 3.6.00 PatrolAgent release) are in progress. These patches will be

    added to the ftp site under the respective OS when they are available.

     



  • 6. Re: Announced Vulnerabilty in Patrol
    Noah Hester

    Regarding changing the security level below is my question to BMC Support and their answer.

     

     

     

    Today we are at security level 0 and we use BMC Perform/Predict on every server.

     

    On page 3 of the PATROL Agent Flash document it suggests that we consider running at a security level 1 or higher.

     

    To secure your environment before you patch or upgrade your PATROL Agent, BMC

    highly recommends that you take the following precautions:

     

    ·        Implement Firewall rules and IP/hostname-based Access Control Lists to limit

    which servers can connect to the agent port (the default is 3181). This limits the

    number of servers in the environment that an intruder can use to launch an attack.

     

    ·        Ensure that the PATROL Agents are running at security level 1 or higher. Raising

    the security level greatly reduces the risk of an effective exploit.

     

    On page 55 of the PATROL Security User Guide (28-Feb-2005) there is the screen shot (see below) that suggests that if you select any advanced security level you will disable network communication between PATROL Performance Manager and Perform.

     

    Page55_SecurityUserGuide.bmp

     

     

    Does that mean we will essentially break Perform and Predict?  If not what does that mean?

     

     

     

    BMC's reply:

     

     

    Please let me know if you are going to increase the security level in a Patrol Perform integrated environment or are planning to use higher security level during installation time.

     

    When the PATROL and Perform products are installed together if you select a Security Level at install time greater than 0 that would cause problems for the Perform product because Perform only has two security modes - Basic Security (Level 0) which provides full product functionality and Advanced Security (Level 1+) which removes and Perform binary that can communicate over the network and replaces it with a substitute that has no network capabilities.

     

    If you were to increase the PATROL Security Level after the product is installed that wouldn't cause a problem for Perform since that wouldn't change the Perform product security level. The Perform product's security level would only be changed if the /[Installation Directory]/Patrol3/.b1configVVVV.sav file was updated to put Perform into Advanced security and the b1configVVVV.sh script was re-run (something that would likely only happen at install time).

     

    If you are planning to manually increasing the PATROL security level there shouldn't be any issues, however, if this will be implemented for new installations this will likely be an issue and custom steps would be required to be added.

     

    It would be recommended that you test either method you are choosing in a lab environment to see if there is any impact - if the change do not break the Perform binaries in the lab then the results should be expected to be consistent wherever they would be applied.