BMC Control-M/Agent Insecure Default SSL/TLS File Permissions Vulnerability

A vulnerability exists in BMC Control-M/Agent for Unix/Linux, specifically in versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions. This vulnerability also affects newer versions that were upgraded from an affected version. The issue arises from certain files being assigned overly permissive permissions, allowing local attackers to access keys and passwords related to SSL/TLS files, keystore, and policies. An attacker with local access to the system running the Agent can exploit this vulnerability.

Impact

Exploitation of this vulnerability allows local access to sensitive SSL/TLS files, including keys and passwords, which could be misused for unauthorized communication or data interception.

Remediation

To address this vulnerability, users should upgrade to a fully supported version of Control-M/Agent. For those on Unix/Linux Agents with SSL/TLS enabled, it is recommended to run a permission check script provided by Control-M. If the check identifies any issues, the script can be executed with a force option to correct the permissions. Instructions for these steps can be found in the BMC Knowledge Articles referenced in the CVE details.