CVE-2016-1543

The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and reset arbitrary user passwords by sending an action packet to xmlrpc after an authorization failure.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/136462/BMC-Server-Automation-BSA-RSCD-Agent-Unauthorized-Password-Reset.html
http://www.securityfocus.com/archive/1/537910/100/0/threaded
https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution	Patch Vendor Advisory
https://www.exploit-db.com/exploits/43902/
https://www.exploit-db.com/exploits/43939/
https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.2.02:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.2.03:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.2.04:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.3.00:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.3.01:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.3.02:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.3.03:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.5.00:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.5.01:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.6.00:::::::*
	cpe:2.3:a:bmc:bladelogic_server_automation_console:8.7.00:::::::*

History

No history.

Information

Published : 2016-06-13 14:59

Updated : 2024-02-04 18:53

NVD link : CVE-2016-1543

Mitre link : CVE-2016-1543

CVE.ORG link : CVE-2016-1543

JSON object : View

Products Affected

bmc

bladelogic_server_automation_console

CWE

CWE-284

Improper Access Control

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-1543

7.5^/10

5.0^/10

Attach tags to `CVE-2016-1543`