usd-2019-0066 | Control-M/Agent
Advisory ID: usd-2019-0066
CVE Number: CVE-2019-19218
Affected Product: Control-M/Agent
Affected Version: 7.0.00.000
Vulnerability Type: Insecure Password Storage
Security Risk: Conditional*
Vendor URL: https://www.bmcsoftware.de/
Vendor Status: Fixed (according to vendor)
* We consider the vulnerability to be of conditional severity as the vendor explicitly recommends to use TLS and the attacks only work when TLS is disabled. Nevertheless, as we encountered real-life configurations without TLS, we would like to highlight the increased criticality in case of a customer misconfiguration.
An Insecure Password Storage vulnerability was found in the communication between Control-M/Agent and Control-M/Server when using the TCP protocol and handling output with an unsupported action.
Apply more restrictive file permissions to files that store sensitive information.
- 2019-10-29 Initial contact with email@example.com
- 2019-10-29 Submit additional findings to firstname.lastname@example.org
- 2019-12-17 Agreement on Coordinated Disclosure: Vendor schedules fix for 10th February 2020
- 2020-03-26 Vendor agrees to disclose advisories
- 2020-04-29 Security advisory released
This security vulnerability was found by Tobias Neitzel of usd AG.