PT-2023-24780 · Bmc · Bmc Patrol
Guillaume Quéré
·
Published
2023-05-31
·
Updated
2025-01-08
·
CVE-2023-34258
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BMC Patrol versions prior to 22.1.00
Description
An issue was discovered where the agent's configuration can be remotely queried, containing the Patrol account password encrypted with a default AES key. This account can then be used to achieve remote code execution.
Recommendations
For versions prior to 22.1.00, update to version 22.1.00 or later to resolve the issue. As a temporary workaround, consider restricting access to the agent's configuration to minimize the risk of exploitation.
Exploit
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bmc Patrol