BMC FootPrints ITSM Authentication Bypass Vulnerability Allowing Pre-Authenticated Remote Code Execution

An authentication bypass vulnerability has been identified in BMC FootPrints ITSM versions 20.20.02 prior to 20.24.01.001. The vulnerability arises from improper enforcement of security filters on restricted REST API endpoints and servlets, allowing unauthenticated remote attackers to bypass access controls. This exploitation can invoke restricted functionality, leading to unauthorized access to application data and modification of system resources. Notably, this vulnerability has been chained with a deserialization flaw to achieve remote code execution.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to restricted functionalities and data within the application. When combined with a deserialization vulnerability, it leads to remote code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the '/passwordreset/request/' endpoint without authentication. This request will receive a 'SEC_TOKEN' cookie in response. This token can then be used to access restricted endpoints that require authentication, effectively bypassing the authentication controls.

Remediation

Users can upgrade to BMC FootPrints ITSM versions 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, or 20.24.01 to address this vulnerability.