14 Replies Latest reply on Jul 6, 2016 6:46 AM by Bill Robinson

    Nessus reports vulnerability for CVE-2016-1543 on Windows RSCD Agents

    Yanick Girouard

      We use Nessus to scan for security vulnerabilities and our security team has flagged all of our Windows RSCD Agents with the following vulnerability:

       

      ---

      CVE: CVE-2016-1543
      IAVB: 2016-B-0062
      
      critical
      BMC Server Automation RSCD Agent ACL Bypass
      
      Description
      The remote BMC BladeLogic Server Automation (BSA) RSCD agent is affected by a security bypass vulnerability due to a failure to properly enforce the ACL. An unauthenticated, remote attacker can exploit this, by ignoring the response to the RemoteServer.info request, to bypass the ACL and execute XML-RPC commands.
      Solution
      Apply the BMC BladeLogic Server Automation compliance template available from the vendor to all affected RSCD agents.
      See Also
      http://www.nessus.org/u?7e61055b
      http://www.nessus.org/u?8412fa8e
      http://www.nessus.org/u?5d99b81e
      Output
      Nessus was able to execute the command "RemoteServer.getHostOverview" using the
      following request :
      
      https://10.10.10.20:4750/xmlrpc
      
      This produced the following truncated output (limited to 10 lines) :
      ------------------------------ snip ------------------------------
      
      agentEnvironmentSYSTEMROOT=C:\WindowsWINDIR=C:\WindowsagentInstallDir/C/Program Files/BMC Software/BladeLogic/RSCD/licensed1machinex86_64majorVersion8minorVersion5nodenamesnwmrpicodpx3patchVersion01platformVersion304processorx86_64release6.3repeater0subnetMask255.255.255.0sysnameWindowsNTversion9200
      

      ---

       

      According to your flash bulletin about CVE-2016-1543 (https://docs.bmc.com/docs/display/bsa87/Notification+of+critical+security+issue+in+BMC+Server+Automation) it only affects Linux/UNIX agents. If so, why is Nessus reporting the vulnerability for Windows agents as well? Is Nessus wrong, or should there indeed be a fix for Windows agents as well?

       

      I have opened case 00156041 for the above.