------------------------------------------------------------------------ User enumeration vulnerability in BMC Server Automation (BSA) Unix/Linux RSCD Agent BMC Identifier: BMC-2015-0010 CVE Identifier: CVE-2016-1542 ------------------------------------------------------------------------ By BMC Application Security, MAR 2016 ------------------------------------------------------------------------ Vulnerability summary ------------------------------------------------------------------------ A security vulnerability has been identified in BMC Server Automation (BSA) RSCD Agent on the Linux/Unix platforms. The vulnerability allows unauthorized remote user enumeration on a target server by using the Remote Procedure Call (RPC) API of the RSCD Agent. Windows agents are not affected. ------------------------------------------------------------------------ CVSS v2.0 Base Metrics ------------------------------------------------------------------------ Reference: CVE-2016-1542 Base Vector: CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N) Base Score: 5.0 ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ The flaw has been confirmed to exist in the following versions of BSA on Unix and Linux platforms: 8.2.x, 8.3.x, 8.5.x, 8.6.x and 8.7.x. ------------------------------------------------------------------------ Resolution ------------------------------------------------------------------------ A hotfix as well as a workaround are available at https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution ------------------------------------------------------------------------ Credits ------------------------------------------------------------------------ Credit for discovery of this vulnerability: ERNW Gmbh https://www.ernw.de ------------------------------------------------------------------------ Reference ------------------------------------------------------------------------ CVE-2016-1542 Information about BMC's corporate procedure for external vulnerability disclosures is at http://www.bmc.com/security -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owGtVl1oHFUU3tg2P6PTSCsRJdVbK20CyexPmyYuhDi7De3WJqY7yQbsT7g7c2f3 JjNzlzt3srs+qBEVpAaF9KG1rRQq+CBt1DwE2iqlfYgkFIwPTX/EnwcfVFChFQ0i eu9uNu3mxZe5DNy/c+855zvfOXfek9cF6ms+qfti9u6ffx2vWfglHUgtD460+9Rk achFFCDHsxGFDBMHjHuWw8dpbGFWBNgBsb440BAd53Kqx4hdFmuJaWorGHJwIXgA O15BlpJafA9QM8hhQJZkSRxLGHyGTYxoVFzTHgmFO9pDoXBIluKp3qptPhfbu9vD HbsisuSfg7FiyQM1l7OwXrZdQ7pHuXdtoE9NAqFVloCfOlNVGLqebUNa9FOBCtwV H9bEKwtdkEbIAbiCrfF/MayKHF9lWQRKIQ2K6IKcBZlJqO0qsjTIt6r1QcsieRd4 DvRYllD8MtdHkU0YAt5aZvEPcm0M0gxi3IGSOekiF8ROpqQ2WT45QImODI8iEOf3 g5bkQLwVqAMJQMyS2IMWK2AYO4awAYop7/gxhzAATRPpDBmKIKN/yMdTmgbGI0oI xKCLQB9iFOuunxqSyEQUOTqKNpTS5MG04HQWWlPcM0KjDaKtmrSyClrUVLQ/qMaj B4Kqx0fx6EAwIVai/a0Nq1doOqEoKksdSshfgNQV3AGPrsvD7is2goCmBfP3ea4T x8TU5voYAaiAXSb4LlhiEsFNQa2KJYI/nPKciLzuCW5DxyhT/T7Lo6BLiSiFNt7t LHcd5W63UpbvUjqVggL8BS2JXGJ5Ikv8rRJZwkzhpwvyiGcS7yHIEzoGKfG4LyJX 4DjEFkxbfMRKZTDLWM6NBoMuskyRpFhHStrWFZ3YQZ1Tx87YLOjqIy84JG8hI4NU yrBuoR7XNHRsdI+pkfCuUKkZsZwTV3u3s2IOdWsrHvoMXZwiAzNfWVa+khOIAgO7 OuH8KZZrD3ar61+UO9Ob7B8Ge+10FlSQy+fzCqJOXjGQ3zQxrzSXi4O/Na2qyHCf Eo5IhnLZhmniMfGC7HB5ttEc4eUcgdxqjRYwoQLjDkNrzesgSwI/i7hczgUcPMhK IK1gVGFV5S2TpbdrmtcHauoDtRseEr85Aanh0cq/T9dLdf++cphcSrzJzp0Zm5xI s6mzs0/WHazds3FdXLu2fzrW2TpyZ8utnfvu3B6b27Jj88XDZzctpvtPhqdS3jOP oKWnPzjxeduMlavdr+ZOF6f2usd7uhonj0z92uJcurl4caG9OXRqYunhzOjM9YFF +d559Y8Pr279/cqNT5/bMPHz819rP177qGfbhSPfzk7L67889lgx+dqFf64+fnf+ 2SU6417//oeYpo/ONi6MPhG+d3rw/e7GM3NH5wNNTbcuP3Vq6Kv5heHf+t6QzXNH xzdCuHXz3L5voHzys3cT59+aWT6UapuObO+9venvVyePHbz8ztxis/Zi04mb3x26 0bmta3no9frmn6yGwsfSfw== =0QUC -----END PGP MESSAGE-----