BMC Control-M/Agent Hardcoded Blowfish Keys Vulnerability Allowing Traffic Decryption

A vulnerability exists in out-of-support BMC Control-M/Agent versions 9.0.18 to 9.0.20, and potentially earlier unsupported versions, that are configured to use the non-default Blowfish cryptography algorithm. These versions utilize a hardcoded key, which, if intercepted along with network traffic, could allow an attacker to decrypt communications between the Control-M/Agent and the Control-M Server.

Impact

Exploitation of this vulnerability could lead to unauthorized decryption of network traffic, allowing interception of potentially sensitive information exchanged between the Control-M/Agent and the Control-M Server.

Remediation

Users are advised to upgrade to a fully supported version of Control-M/Agent. For those unable to upgrade immediately, it is possible to convert the encryption from Blowfish to AES by following a specific procedure. This involves checking for the existence of the local.key file, shutting down the Agent, running a command to convert the encryption, and then restarting the Agent.