1 Reply Latest reply on Mar 9, 2016 8:16 AM by Bill Robinson

    Notification of critical security issue in BMC Server Automation

    Namdeo Patil

      HI

       

      A security authentication vulnerability involving unauthorized host access has been identified. This

      Vulnerability allows remote unauthorized access to the UNIX target server by using the Remote

      Procedure Call (RPC) API of the RSCD Agent. As per this alert, we are trying to implement solution using the compliance remediation part,

       

      Following commands are running as post commands to replace the file and restart the RSCD agent,

       

      if [ ! -f "??TARGET.RSCD_DIR??/lib/librpccommon.so.1.0_CVE-2016-1542" ]

      then

        cp -f "??TARGET.RSCD_DIR??/lib/libagentrpc.so.1.0" "??TARGET.RSCD_DIR??/lib/libagentrpc.so.1.0_CVE-2016-1542" 2> /dev/null

        cp -f "??TARGET.RSCD_DIR??/lib/librpccommon.so.1.0" "??TARGET.RSCD_DIR??/lib/librpccommon.so.1.0_CVE-2016-1542" 2> /dev/null

        cp -f "??TARGET.STAGING_DIR??/libagentrpc.so.1.0" "??TARGET.RSCD_DIR??/lib/libagentrpc.so.1.0" 2> /dev/null

        cp -f "??TARGET.STAGING_DIR??/librpccommon.so.1.0" "??TARGET.RSCD_DIR??/lib/librpccommon.so.1.0" 2> /dev/null

       

       

        startScript=""

        if [ -f "??TARGET.RSCD_DIR??/conf/rscd" ]

        then

      startScript="??TARGET.RSCD_DIR??/conf/rscd"

        elif [ -f "/etc/init.d/rscd" ]

        then

      startScript="/etc/init.d/rscd"

        elif [ -f "/sbin/init.d/rscd" ]

        then

      startScript="/sbin/init.d/rscd"

        elif [ -f "??TARGET.RSCD_DIR??/sbin/agentctl" ]

        then

      startScript="??TARGET.RSCD_DIR??/sbin/agentctl"

        else

        echo "cannot find rscd start script , you must restart agent manually"

        exit 1

        fi

       

       

        echo "stopping.."

        ${startScript} stop

        sleep 180

        echo "starting..."

        ${startScript} start

      else

        echo "File exist"

        exit 0

      fi

       

      BUT

       

      The restart of the RSCD Agent after the HotFix remediation is not successful (results in 'no authorization when accessing same server from BSA console'), when this start-script exists:

      /opt/bmc/bladelogic/RSCD/conf/rscd,

       

      It's trying to use configuration files from /opt/bmc/bladelogic/RSCD/conf/rscd as configuration files users--users.local and exports files are also present in this folder.

       

      BUT the current ACL files (export, users, users.local) are in /etc/rsc/ ( /etc/rsc/users file is updating by ACL push job)

       

      BUT when we use /etc/init.d/rscd stop/start, it's picking up acl files from /etc/rsc folder.

       

      Not sure why /opt/bmc/bladelogic/RSCD/conf/rscd startup script using files from /opt/bmc/bladelogic/RSCD/conf folder?

       

      Thanks in advance for any answers.