CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
97.1%
The remote BMC BladeLogic Server Automation (BSA) RSCD agent is affected by a security bypass vulnerability due to a failure to properly enforce the ACL. An unauthenticated, remote attacker can exploit this, by ignoring the response to the RemoteServer.info request, to bypass the ACL and execute XML-RPC commands.
MITRE has assigned three different CVE identifiers to this vulnerability. CVE-2016-1542 and CVE-2016-1543 pertain to a variation where the exports file is bypassed, and CVE-2016-5063 concerns a variation where the users file is bypassed.
Note that CVE-2016-1542 and CVE-2016-1543 affect the Linux and Unix variants of RSCD, and CVE-2016-5063 affects the Windows variant.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(90998);
script_version("1.14");
script_cvs_date("Date: 2019/11/20");
script_cve_id("CVE-2016-1542", "CVE-2016-1543", "CVE-2016-5063");
script_name(english:"BMC Server Automation RSCD Agent ACL Bypass");
script_summary(english:"Bypasses ACL to execute XML-RPC commands.");
script_set_attribute(attribute:"synopsis", value:
"The BMC Server Automation RSCD agent running on the remote host is
affected by a security bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote BMC BladeLogic Server Automation (BSA) RSCD agent is
affected by a security bypass vulnerability due to a failure to
properly enforce the ACL. An unauthenticated, remote attacker can
exploit this, by ignoring the response to the RemoteServer.info
request, to bypass the ACL and execute XML-RPC commands.
MITRE has assigned three different CVE identifiers to this
vulnerability. CVE-2016-1542 and CVE-2016-1543 pertain to a variation
where the exports file is bypassed, and CVE-2016-5063 concerns a
variation where the users file is bypassed.
Note that CVE-2016-1542 and CVE-2016-1543 affect the Linux and Unix
variants of RSCD, and CVE-2016-5063 affects the Windows variant.");
# https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?674c058b");
# https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?668a5e7a");
# https://communities.bmc.com/community/bmcdn/bmc-devops/bmc_middleware_automation/blog/2016/03/02/bmc-server-automation-bsa-vulnerabilities-in-unixlinux-rscd-agent-cve-ids-cve-2016-1542-cve-2016-1543
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7e61055b");
# https://troopers.de/events/troopers16/648_one_tool_to_rule_them_all_-_and_what_can_it_lead_to/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be481cfc");
# https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d99b81e");
script_set_attribute(attribute:"solution", value:
"The fix for the CVE-2016-1542 and CVE-2016-1543 issues is accomplished
by using a BMC Server Automation Compliance Template. Alternatively,
these issues can be mitigated by configuring a host-based firewall on
the affected system to only accept connections from the BSA
infrastructure systems. See the vendor advisory for more details.
The fix for the CVE-2016-5063 issue is accomplished by updating the
RSCD agent on the affected systems to version 8.7 P3 or 8.8, whichever
version is qualified to work with your Application Server.
Alternatively, it can be mitigated by configuring the exports file on
the affected system to only accept connections from the BSA
infrastructure systems. See the vendor advisory for more details.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5063");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'BMC Server Automation RSCD Agent NSH Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/02");
script_set_attribute(attribute:"patch_publication_date", value:"2016/02/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:bmc:bladelogic_server_automation_rscd_agent");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("bmc_rscd_detect.nbin");
script_require_ports(4750, "Services/bladelogic_rscd");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("x509_func.inc");
include("misc_func.inc");
include("byte_func.inc");
include("gunzip.inc");
include("bmc_rscd.inc");
appname = 'bladelogic_rscd';
port = get_service(svc:appname, default:4750, exit_on_fail:TRUE);
if(get_port_transport(port) != ENCAPS_IP) audit(AUDIT_LISTEN_NOT_VULN, appname, port);
if (!get_tcp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "tcp");
# Connect and send intro
soc = rscd_connect(type:"TLSRPC", port:port);
resp = send_xml_intro(soc:soc, port:port);
# If we are given access than we don't need to/can't bypass ACL
if (!isnull(resp))
{
close(soc);
exit(1, "RSCD's ACL does not exclude Nessus from issuing XML-RPC commands.");
}
payload = '<?xml version="1.0" encoding="UTF-8"?>\n' +
'<methodCall>\n' +
' <methodName>RemoteServer.getHostOverview</methodName>\n' +
'</methodCall>';
send_xmlrpc(payload:payload, soc:soc, port:port);
# The response will have compressed XML
resp = recv(socket:soc, length:1024);
close(soc);
if ("HTTP/1.1 200 OK" >!< resp) audit(AUDIT_INST_VER_NOT_VULN, appname);
decompressed = decompress_payload(resp:resp);
if ("agentInstallDir" >!< decompressed) audit(AUDIT_RESP_BAD, port);
security_report_v4(
port:port,
severity:SECURITY_WARNING,
request:make_list("https://" + get_host_ip() + ":" + port + "/xmlrpc"),
cmd:"RemoteServer.getHostOverview",
output:decompressed);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
97.1%