Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in BMC Control-M software
18 March 2024 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-1604
Publication date 18 March 2024
Vendor BMC
Product Control-M
Vulnerable versions from 9.0.20 before 9.0.20.238, from 9.0.21 before 9.0.21.201
Vulnerability type (CWE) Authorization Bypass Through User-Controlled Key (CWE-639)
Report source Report to CERT Polska
CVE ID CVE-2024-1605
Publication date 18 March 2024
Vendor BMC
Product Control-M
Vulnerable versions from 9.0.20 before 9.0.20.238, from 9.0.21 before 9.0.21.201
Vulnerability type (CWE) Incorrect Default Permissions (CWE-276)
Report source Report to CERT Polska
CVE ID CVE-2024-1606
Publication date 18 March 2024
Vendor BMC
Product Control-M
Vulnerable versions from 9.0.20 before 9.0.20.238, from 9.0.21 before 9.0.21.200
Vulnerability type (CWE) Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in BMC Control-M software and participated in coordination of their disclosure.

The vulnerability CVE-2024-1604 is an improper authorization in the report management and creation module. It allows logged-in users to make unauthorized changes to any reports available within the application, even without proper permissions. The attacker must know the unique identifier of the report they want to manipulate.

The vulnerability CVE-2024-1605 is DLL side-loading. The application is loading upon user login all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges.

The vulnerability CVE-2024-1606 allows for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.

The vendor has removed vulnerabilities in the versions mentioned as "before" in the table above.

Credits

We thank Maksymilian Kubiak and Dawid Małecki from the AFINE team for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.