Re: Patrol security bugs

[Mike Crane <mcrane () bmc com>]

In-Reply-To: <370DDA89.31976841 () cf6 fr>

I'm trying to clean up old postings that were never 
responded to.  These answers should clarify BMC's positions 
on the posting.

> > 1) Session password encryption weakness :
> >
> > The Patrol session password is protected in a way which 
does not prevent
> > from replay attacks. It is possible for an attacker to 
capture (wire
> > tapping, network sniffing...) an encrypted password and 
to provide it to
> > the
> > BMC API to connect to the agent. The attacker can then 
get a shell with
> > the
> > agent without the administrator to know it.

Answer Summary
Issues are more prevalent if agent/console connections are 
made on the open Internet.  While it is possible for 
customers to do this, it isn’t recommended because any 
vulnerability from TCP/UDP traffic on machines are 
accessible from outside sources.  However, these types of 
policy decisions are for customer’s to make.

BMC Software has provided customers options to deal with 
vulnerabilities of this sort.  Options available are:
1.      Use PATROL ACLs to reduce what clients that can 
connect to an agent.
2.      Use the Enhanced Security Interface (ESI) described 
in the Patrol API reference manual.  BMC’s enhanced host-to-
host privacy using Public Key Infrastructure (PKI) 
encryption layers both higher levels of encryption for data 
that is transmitted between PATROL components, but the 
ability to authenticate the connections that are made 
between PATROL components.

Related BMC Work
BMC Support Case 204065

PATROL Agent for Windows NT Version 3.2.09 Technical 
Bulletin, “Alert for possible network layer and denial of 
service attacks”, that can be found at 
http://www.bmc.com/supportu/documents/37/67/3767/100019317/i
ndex.htm.



> > 2) Patrol frames sealing :
> >
> > The algorithm used in Patrol for sealing the frames 
exchanged is fairly
> > weak
> > (enhanced checksum). It is thus quite easy for an 
attacker to build a
> > spoofing system which sends faked frames to an agent.

Answer Summary
Issues are more prevalent if agent/console connections are 
made on the open Internet.  While it is possible for 
customers to do this, it isn’t recommended because any 
vulnerability from TCP/UDP traffic on machines are 
accessible from outside sources.  However, these types of 
policy decisions are for customer’s to make.

A couple of options are available to reduce this 
vulnerability:
1.      Use PATROL ACLs to reduce what clients that can 
connect to an agent.
2.      Use the Enhanced Security Interface (ESI) described 
in the Patrol API reference manual.  BMC’s enhanced host to 
host privacy using Public Key Infrastructure (PKI) 
encryption layers both higher levels of encryption for data 
that is transmitted between PATROL components, but the 
ability to authenticate the connections that are made 
between PATROL components.
3.      Validation of inbound packet addresses (on a border 
router) to addresses valid to utilize your network.
4.      Disable UDP and only use TCP for communication to 
an agent
5.      Segment your Patrol users behind a firewall to 
limit the usages to the TCP ports.

Related BMC Work
PATROL Agent for Windows NT Version 3.2.09 Technical 
Bulletin, “Alert for possible network layer and denial of 
service attacks”, that can be found at 
http://www.bmc.com/supportu/documents/37/67/3767/100019317/i
ndex.htm.

BMC Support Case 204065
BMC Support Case 333617

> > 3) Service deny on UDP port :
> >
> > The UDP ports accept connexion requests and are thus 
exposed to
> > ping-pong
> > from another UDP port (e.g. chargen).

Answer Summary
Issues are more prevalent if agent/console connections are 
made on the open Internet.  While it is possible for 
customers to do this, it isn’t recommended because any 
vulnerability from TCP/UDP traffic on machines are 
accessible from outside sources.  However, these types of 
policy decisions are for customer’s to make.

Options available to reduce this vulnerability:
1.      Use the Enhanced Security Interface (ESI) described 
in the Patrol API reference manual.  BMC’s enhanced host to 
host privacy using Public Key Infrastructure (PKI) 
encryption layers both higher levels of encryption for data 
that is transmitted between PATROL components, but the 
ability to authenticate the connections that are made 
between PATROL components.
2.      Ensure your UDP diagnostic ports are disabled on 
your agents.
3.      Validation of inbound packet addresses (on a border 
router) to addresses valid to utilize your network.
4.      Disable UDP and only use TCP for communication to 
an agent
5.      Segment your Patrol users behind a firewall to 
limit the usages to the UDP port. 

Related BMC Work
BMC Support Case 238659


Regards, 
Mike Crane
BMC Security Architect