In-Reply-To: <370DDA89.31976841@cf6.fr> I'm trying to clean up old postings that were never responded to. These answers should clarify BMC's positions on the posting. >> 1) Session password encryption weakness : >> >> The Patrol session password is protected in a way which does not prevent >> >> from replay attacks. It is possible for an attacker to capture (wire >> tapping, network sniffing...) an encrypted password and to provide it to >> the >> BMC API to connect to the agent. The attacker can then get a shell with >> the >> agent without the administrator to know it. >> Answer Summary Issues are more prevalent if agent/console connections are made on the open Internet. While it is possible for customers to do this, it isn’t recommended because any vulnerability from TCP/UDP traffic on machines are accessible from outside sources. However, these types of policy decisions are for customer’s to make. BMC Software has provided customers options to deal with vulnerabilities of this sort. Options available are: 1. Use PATROL ACLs to reduce what clients that can connect to an agent. 2. Use the Enhanced Security Interface (ESI) described in the Patrol API reference manual. BMC’s enhanced host-to- host privacy using Public Key Infrastructure (PKI) encryption layers both higher levels of encryption for data that is transmitted between PATROL components, but the ability to authenticate the connections that are made between PATROL components. Related BMC Work BMC Support Case 204065 PATROL Agent for Windows NT Version 3.2.09 Technical Bulletin, “Alert for possible network layer and denial of service attacks”, that can be found at http://www.bmc.com/supportu/documents/37/67/3767/100019317/i ndex.htm. >> 2) Patrol frames sealing : >> >> The algorithm used in Patrol for sealing the frames exchanged is fairly >> weak >> (enhanced checksum). It is thus quite easy for an attacker to build a >> spoofing system which sends faked frames to an agent. >> Answer Summary Issues are more prevalent if agent/console connections are made on the open Internet. While it is possible for customers to do this, it isn’t recommended because any vulnerability from TCP/UDP traffic on machines are accessible from outside sources. However, these types of policy decisions are for customer’s to make. A couple of options are available to reduce this vulnerability: 1. Use PATROL ACLs to reduce what clients that can connect to an agent. 2. Use the Enhanced Security Interface (ESI) described in the Patrol API reference manual. BMC’s enhanced host to host privacy using Public Key Infrastructure (PKI) encryption layers both higher levels of encryption for data that is transmitted between PATROL components, but the ability to authenticate the connections that are made between PATROL components. 3. Validation of inbound packet addresses (on a border router) to addresses valid to utilize your network. 4. Disable UDP and only use TCP for communication to an agent 5. Segment your Patrol users behind a firewall to limit the usages to the TCP ports. Related BMC Work PATROL Agent for Windows NT Version 3.2.09 Technical Bulletin, “Alert for possible network layer and denial of service attacks”, that can be found at http://www.bmc.com/supportu/documents/37/67/3767/100019317/i ndex.htm. BMC Support Case 204065 BMC Support Case 333617 >> 3) Service deny on UDP port : >> >> The UDP ports accept connexion requests and are thus exposed to >> ping-pong >> from another UDP port (e.g. chargen). >> Answer Summary Issues are more prevalent if agent/console connections are made on the open Internet. While it is possible for customers to do this, it isn’t recommended because any vulnerability from TCP/UDP traffic on machines are accessible from outside sources. However, these types of policy decisions are for customer’s to make. Options available to reduce this vulnerability: 1. Use the Enhanced Security Interface (ESI) described in the Patrol API reference manual. BMC’s enhanced host to host privacy using Public Key Infrastructure (PKI) encryption layers both higher levels of encryption for data that is transmitted between PATROL components, but the ability to authenticate the connections that are made between PATROL components. 2. Ensure your UDP diagnostic ports are disabled on your agents. 3. Validation of inbound packet addresses (on a border router) to addresses valid to utilize your network. 4. Disable UDP and only use TCP for communication to an agent 5. Segment your Patrol users behind a firewall to limit the usages to the UDP port. Related BMC Work BMC Support Case 238659 Regards, Mike Crane BMC Security Architect
