CVE-2019-8352

By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.securifera.com/advisories/CVE-2019-8352/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bmc:patrol_agent:*:*:*:*:*:*:*:*

History

30 Mar 2022, 18:58

Type	Values Removed	Values Added
CWE	~~CWE-310~~	CWE-798

Information

Published : 2019-05-20 19:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-8352

Mitre link : CVE-2019-8352

CVE.ORG link : CVE-2019-8352

JSON object : View

Products Affected

bmc

patrol_agent

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2019-8352", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-05-20T19:29:00.393", "references": [{"url": "https://www.securifera.com/advisories/CVE-2019-8352/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "By default, BMC PATROL Agent through 11.3.01 uses a static encryption key for encrypting/decrypting user credentials sent over the network to managed PATROL Agent services. If an attacker were able to capture this network traffic, they could decrypt these credentials and use them to execute code or escalate privileges on the network."}, {"lang": "es", "value": "Por defecto, BMC PATROL Agent hasta el 11.3.01 usa una Clave de Cifrado est\u00e1tica para cifrar / descifrar las credenciales de usuario enviadas a trav\u00e9s de la red a los servicios administrados de PATROL Agent. Si un atacante pudiera capturar este tr\u00e1fico de red, podr\u00eda descifrar estas credenciales y usarlas para ejecutar c\u00f3digo o escalar privilegios en la red."}], "lastModified": "2022-03-30T18:58:44.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bmc:patrol_agent:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5661BC21-383F-44E8-AEA6-F7A723545D08", "versionEndIncluding": "11.3.01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}