APP: BMC Patrol Agent Privilege Escalation Cmd Execution
This signature detects attempts to exploit a known vulnerability against BMC Patrol Agent. A successful attack can lead to elevation of privilege and arbitrary code execution.
Extended Description
An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration
Affected Products
Bmc patrol_agent
References
CVE: CVE-2018-20735
Short Name
APP:MISC:BMC-PATROL-AGENT-CE
Severity
Major
Recommended
False
Recommended Action
None
Category
APP
Keywords
Agent BMC CVE-2018-20735 Cmd Escalation Execution Patrol Privilege
Release Date
06/10/2021
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3650
Port
TCP/3181
False Positive
Unknown
Vendors
Bmc
CVSS Score
7.2