CVE-2016-1542

EUVD-2016-2637
The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
bmcbladelogic_server_automation_console
8.2.02
bmcbladelogic_server_automation_console
8.2.03
bmcbladelogic_server_automation_console
8.2.04
bmcbladelogic_server_automation_console
8.3.00
bmcbladelogic_server_automation_console
8.3.01
bmcbladelogic_server_automation_console
8.3.02
bmcbladelogic_server_automation_console
8.3.03
bmcbladelogic_server_automation_console
8.5.00
bmcbladelogic_server_automation_console
8.5.01
bmcbladelogic_server_automation_console
8.6.00
bmcbladelogic_server_automation_console
8.7.00
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/136461/BMC-Server-Automation-BSA-RSCD-Agent-User-Enumeration.html
http://www.securityfocus.com/archive/1/537909/100/0/threaded
https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution
https://www.exploit-db.com/exploits/43902/
https://www.exploit-db.com/exploits/43939/
https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/
http://packetstormsecurity.com/files/136461/BMC-Server-Automation-BSA-RSCD-Agent-User-Enumeration.html
http://www.securityfocus.com/archive/1/537909/100/0/threaded
https://selfservice.bmc.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA214000000dBpnCAE&type=Solution
https://www.exploit-db.com/exploits/43902/
https://www.exploit-db.com/exploits/43939/
https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/