CVE-2018-20735

BMC Patrol Agent - Privilege Escalation Code Execution Execution

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

** EN DISPUTA ** Se ha encontrado un problema con el agente BMC PATROL hasta la versión 11.3.01. Se ha detectado que la aplicación PatrolCli puede permitir el movimiento lateral y el escalado de privilegios dentro de un entorno de Windows Active Directory. Se ha descubierto que, por defecto, la aplicación PatroCli / Patrol Agent solo verifica si la contraseña introducida para el nombre de usuario proporcionado es correcto; no verifica los permisos del usuario en la red. Esto significa que, si tenemos PATROL Agent instalado en un objetivo de alto valor (controlador de dominio), podemos utilizar un usuario de dominio con privilegios bajos con PatrolCli y luego conectarnos al controlador de dominio y ejecutar comandos como SYSTEM. Esto significa que cualquier usuario en un dominio puede escalar a "domain admin" mediante PATROL Agent. NOTA: el proveedor disputa este mensaje, ya que estima que es adecuado para prevenir este escalado, por medio de una configuración personalizada no por defecto.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2019-01-17 CVE Reserved
2019-01-17 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/46556	2024-08-05
https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bmc Search vendor "Bmc"		Patrol Agent Search vendor "Bmc" for product "Patrol Agent"				<= 11.3.01 Search vendor "Bmc" for product "Patrol Agent" and version " <= 11.3.01"		-		Affected