Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability
- From: <rashbi@xxxxxxxxxxxx>
- Date: Thu, 19 Apr 2007 15:59:25 +0200
BMC has provided the following statement: "[This issue] has beenconfigured
found not to be a security vulnerability; when properly
(as described for our customers in our documentation and in our
online knowledge base) this attack is not possible."
Anybody with some experience on BMC Patrol products know that
security levels 1 to 4 are rarely used, because of the
configuration and management overhead.
Furthermore, level 0 (the default one) isn't imho the only security
level impacted by this vulnerability (which is an anonymous r/w
access to the SNMP configuration, including full paths to
binaries), given that level 1 use anonymous SSL and that level 2
use SSL with unverified client certificate. Levels 1 and 2 will
just help an attacker to bypass your NIDS.
Interested people can have a look to the "Patrol Security User
Conclusion : pconfig/xpconfig/wpconfig or any similar custom script
can be used to hack any default install of Patrol BMC but it "has
been found not to be a security vulnerability". How sad :-(
Are you safe? Click for quotes on home security system. Sale!