BugTraq
BMC-2015-0010: User enumeration vulnerability in BMC Server Automation (BSA) Unix/Linux RSCD Agent (CVE-2016-1542) Mar 28 2016 03:58PM
appsec (appsec bmc com)
------------------------------------------------------------------------

User enumeration vulnerability in BMC Server Automation (BSA) Unix/Linux
RSCD Agent

BMC Identifier: BMC-2015-0010
CVE Identifier: CVE-2016-1542
------------------------------------------------------------------------

By BMC Application Security, MAR 2016

------------------------------------------------------------------------

Vulnerability summary
------------------------------------------------------------------------

A security vulnerability has been identified in BMC Server Automation (BSA)
RSCD Agent on the Linux/Unix platforms.
The vulnerability allows unauthorized remote user enumeration on a
target server by using the Remote Procedure Call (RPC) API of the
RSCD Agent. Windows agents are not affected.

------------------------------------------------------------------------

CVSS v2.0 Base Metrics
------------------------------------------------------------------------

Reference:
CVE-2016-1542

Base Vector:
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Base Score:
5.0

------------------------------------------------------------------------

Affected versions
------------------------------------------------------------------------

The flaw has been confirmed to exist in the following versions of BSA on
Unix and Linux platforms: 8.2.x, 8.3.x, 8.5.x, 8.6.x and 8.7.x.

------------------------------------------------------------------------

Resolution
------------------------------------------------------------------------

A hotfix as well as a workaround are available at

https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000
000dBpnCAE&type=Solution

------------------------------------------------------------------------

Credits
------------------------------------------------------------------------

Credit for discovery of this vulnerability:
ERNW Gmbh https://www.ernw.de

------------------------------------------------------------------------

Reference
------------------------------------------------------------------------

CVE-2016-1542

Information about BMC's corporate procedure for external vulnerability
disclosures is at http://www.bmc.com/security

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

owGtVl1oHFUU3tg2P6PTSCsRJdVbK20CyexPmyYuhDi7De3WJqY7yQbsT7g7c2f3
JjNzlzt3srs+qBEVpAaF9KG1rRQq+CBt1DwE2iqlfYgkFIwPTX/EnwcfVFChFQ0i
eu9uNu3mxZe5DNy/c+855zvfOXfek9cF6ms+qfti9u6ffx2vWfglHUgtD460+9Rk
achFFCDHsxGFDBMHjHuWw8dpbGFWBNgBsb440BAd53Kqx4hdFmuJaWorGHJwIXgA
O15BlpJafA9QM8hhQJZkSRxLGHyGTYxoVFzTHgmFO9pDoXBIluKp3qptPhfbu9vD
HbsisuSfg7FiyQM1l7OwXrZdQ7pHuXdtoE9NAqFVloCfOlNVGLqebUNa9FOBCtwV
H9bEKwtdkEbIAbiCrfF/MayKHF9lWQRKIQ2K6IKcBZlJqO0qsjTIt6r1QcsieRd4
DvRYllD8MtdHkU0YAt5aZvEPcm0M0gxi3IGSOekiF8ROpqQ2WT45QImODI8iEOf3
g5bkQLwVqAMJQMyS2IMWK2AYO4awAYop7/gxhzAATRPpDBmKIKN/yMdTmgbGI0oI
xKCLQB9iFOuunxqSyEQUOTqKNpTS5MG04HQWWlPcM0KjDaKtmrSyClrUVLQ/qMaj
B4Kqx0fx6EAwIVai/a0Nq1doOqEoKksdSshfgNQV3AGPrsvD7is2goCmBfP3ea4T
x8TU5voYAaiAXSb4LlhiEsFNQa2KJYI/nPKciLzuCW5DxyhT/T7Lo6BLiSiFNt7t
LHcd5W63UpbvUjqVggL8BS2JXGJ5Ikv8rRJZwkzhpwvyiGcS7yHIEzoGKfG4LyJX
4DjEFkxbfMRKZTDLWM6NBoMuskyRpFhHStrWFZ3YQZ1Tx87YLOjqIy84JG8hI4NU
yrBuoR7XNHRsdI+pkfCuUKkZsZwTV3u3s2IOdWsrHvoMXZwiAzNfWVa+khOIAgO7
OuH8KZZrD3ar61+UO9Ob7B8Ge+10FlSQy+fzCqJOXjGQ3zQxrzSXi4O/Na2qyHCf
Eo5IhnLZhmniMfGC7HB5ttEc4eUcgdxqjRYwoQLjDkNrzesgSwI/i7hczgUcPMhK
IK1gVGFV5S2TpbdrmtcHauoDtRseEr85Aanh0cq/T9dLdf++cphcSrzJzp0Zm5xI
s6mzs0/WHazds3FdXLu2fzrW2TpyZ8utnfvu3B6b27Jj88XDZzctpvtPhqdS3jOP
oKWnPzjxeduMlavdr+ZOF6f2usd7uhonj0z92uJcurl4caG9OXRqYunhzOjM9YFF
+d559Y8Pr279/cqNT5/bMPHz819rP177qGfbhSPfzk7L67889lgx+dqFf64+fnf+
2SU6417//oeYpo/ONi6MPhG+d3rw/e7GM3NH5wNNTbcuP3Vq6Kv5heHf+t6QzXNH
xzdCuHXz3L5voHzys3cT59+aWT6UapuObO+9venvVyePHbz8ztxis/Zi04mb3x26
0bmta3no9frmn6yGwsfSfw==
=0QUC
-----END PGP MESSAGE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus