Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability




BMC has provided the following statement: "[This issue] has been
found not to be a security vulnerability; when properly
configured
(as described for our customers in our documentation and in our
online knowledge base) this attack is not possible."

Anybody with some experience on BMC Patrol products know that
security levels 1 to 4 are rarely used, because of the
configuration and management overhead.

Furthermore, level 0 (the default one) isn't imho the only security
level impacted by this vulnerability (which is an anonymous r/w
access to the SNMP configuration, including full paths to
binaries), given that level 1 use anonymous SSL and that level 2
use SSL with unverified client certificate. Levels 1 and 2 will
just help an attacker to bypass your NIDS.

Interested people can have a look to the "Patrol Security User
Guide"
(http://www.bmc.com/supportu/documents/73/44/17344/17344.pdf) for
additional details.

Conclusion : pconfig/xpconfig/wpconfig or any similar custom script
can be used to hack any default install of Patrol BMC but it "has
been found not to be a security vulnerability". How sad :-(

--
Rashbi

--
Are you safe? Click for quotes on home security system. Sale!
http://tagline.hushmail.com/fc/CAaCXv1VrkoHkexqS3wgZA26NsBeBZEt/



Relevant Pages