BMC Control-M/Agent Unauthenticated Remote Code Execution Vulnerability

A vulnerability in BMC Control-M/Agent for UNIX/Linux and Windows, in versions through 9.0.22, allows for unauthenticated remote code execution, arbitrary file read and write, and similar unauthorized actions. This vulnerability arises when mutual SSL/TLS authentication is not enabled, leaving the agent exposed in its default configuration. The issue is exacerbated by certain non-default, undocumented configuration settings that can disable essential security features.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected system.

Remediation

To address this vulnerability, BMC recommends upgrading Control-M/Agents to version 9.0.21.xxx or 9.0.22. After upgrading, ensure that SSL/TLS is implemented on all agents according to best practices. For agents currently in TCP mode, refer to BMC Knowledge Article 000442271 for guidance on transitioning to SSL/TLS. If the Automation API cannot be used, certificates must be installed manually on each agent.