usd-2019-0060 | Control-M/Agent
Advisory ID: usd-2019-0060
CVE Number: CVE-2019-19216
Affected Product: Control-M/Agent
Affected Version: 7.0.00.000
Vulnerability Type: Insecure File Copy
Security Risk: High (conditional)*
Vendor URL: https://www.bmcsoftware.de/
Vendor Status: Fixed (according to vendor)
* We do not consider the vulnerability to be of critical severity as the vendor explicitly recommends to use TLS and the attacks only work when TLS is disabled. Nevertheless, as we encountered real-life configurations without TLS, we would like to highlight the increased criticality in case of a customer misconfiguration.
Description
The Control-M agent can copy log files to the user’s home folder who owns the Joblog to copy. The vendor recommends to run the agent as a non-root user, this is the default configuration. Nevertheless, as we encountered real-life configurations with the agent running with root privileges, we would like to highlight that in this case root’s home directory is affected, too.
As a result, any user with access to the Control-M/Agent may overwrite sensitive files with privileges of the agent. If the agent is run with root privileges an remote attacker may even place chosen commands in root’s .bashrc that would be executed on the next login.
Fix
Copying files as a high privileged users like „root“ based on user controlled conditions is always dangerous. At least make sure, that no files in the user’s directories can be overwritten with log files performing these actions.
Timeline
- 2019-10-29 Initial contact with appsec@bmc.com
- 2019-10-29 Submit additional findings to appsec@bmc.com
- 2019-12-17 Agreement on Coordinated Disclosure: Vendor schedules fix for 10th February 2020
- 2020-03-26 Vendor agrees to disclose advisories
- 2020-04-29 Security advisory released
Credits
This security vulnerability was found by Tobias Neitzel of usd AG.