usd-2019-0066 | Control-M/Agent

Advisory ID: usd-2019-0066
CVE Number: CVE-2019-19218
Affected Product: Control-M/Agent
Affected Version: 7.0.00.000
Vulnerability Type: Insecure Password Storage
Security Risk: Conditional*
Vendor URL: https://www.bmcsoftware.de/
Vendor Status: Fixed (according to vendor)

* We consider the vulnerability to be of conditional severity as the vendor explicitly recommends to use TLS and the attacks only work when TLS is disabled. Nevertheless, as we encountered real-life configurations without TLS, we would like to highlight the increased criticality in case of a customer misconfiguration.

Description

An Insecure Password Storage vulnerability was found in the communication between Control-M/Agent and Control-M/Server when using the TCP protocol and handling output with an unsupported action.

Fix

Apply more restrictive file permissions to files that store sensitive information.

Timeline

2019-10-29 Initial contact with appsec@bmc.com
2019-10-29 Submit additional findings to appsec@bmc.com
2019-12-17 Agreement on Coordinated Disclosure: Vendor schedules fix for 10th February 2020
2020-03-26 Vendor agrees to disclose advisories
2020-04-29 Security advisory released

Credits

This security vulnerability was found by Tobias Neitzel of usd AG.

usd-2019-0066 | Control-M/Agent

Description

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

Security Advisories on hugocms and Gitea

Security Advisory on AXIS Webcam