usd-2019-0066 | Control-M/Agent


Advisory ID: usd-2019-0066
CVE Number: CVE-2019-19218
Affected Product: Control-M/Agent
Affected Version: 7.0.00.000
Vulnerability Type: Insecure Password Storage
Security Risk: Conditional*
Vendor URL: https://www.bmcsoftware.de/
Vendor Status: Fixed (according to vendor)

* We consider the vulnerability to be of conditional severity as the vendor explicitly recommends to use TLS and the attacks only work when TLS is disabled. Nevertheless, as we encountered real-life configurations without TLS, we would like to highlight the increased criticality in case of a customer misconfiguration.

 

Description

An Insecure Password Storage vulnerability was found in the communication between Control-M/Agent and Control-M/Server when using the TCP protocol and handling output with an unsupported action.

Fix

Apply more restrictive file permissions to files that store sensitive information.

Timeline

  • 2019-10-29 Initial contact with appsec@bmc.com
  • 2019-10-29 Submit additional findings to appsec@bmc.com
  • 2019-12-17 Agreement on Coordinated Disclosure: Vendor schedules fix for 10th February 2020
  • 2020-03-26 Vendor agrees to disclose advisories
  • 2020-04-29 Security advisory released

Credits

This security vulnerability was found by Tobias Neitzel of usd AG.