CVE-2017-17677 – CVE-2017-17677 allows authenticated users with ... (How to Fix)

Q: What is the severity of CVE-2017-17677?

CVE-2017-17677 has a CVSS score of 8.8 (HIGH). CVE-2017-17677 allows authenticated users with report creation privileges in BMC Remedy to execute arbitrary code through BIRT templates. This affects organizations using vulnerable versions of BMC Remedy where users have been granted report creation rights. The vulnerability enables privilege escalation from authenticated user to full system compromise.

📋 TL;DR

CVE-2017-17677 allows authenticated users with report creation privileges in BMC Remedy to execute arbitrary code through BIRT templates. This affects organizations using vulnerable versions of BMC Remedy where users have been granted report creation rights. The vulnerability enables privilege escalation from authenticated user to full system compromise.

💻 Affected Systems

Products:

BMC Remedy AR System

Versions: 9.1 Service Pack 3 (specific builds before fixes)

Operating Systems: Windows, Linux, Unix (platforms supported by BMC Remedy)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated users with 'Create Report' or similar permissions. Not all users can exploit by default.

📦 What is this software?

Remedy Mid Tier by Bmc

View all CVEs affecting Remedy Mid Tier →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data exfiltration, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive data, configuration changes, and potential credential theft.

🟢

If Mitigated

Limited impact due to strict access controls, network segmentation, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH if the BMC Remedy interface is exposed to the internet, as authenticated users could exploit it remotely.

🏢 Internal Only: HIGH due to authenticated users with report privileges being able to execute code from within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and report creation privileges. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1 SP3 with specific hotfixes (check vendor advisory for exact versions)

Vendor Advisory: https://docs.bmc.com/docs/ars91/en/9-1-00-fixes-available-for-remedy-ar-system-security-vulnerabilities-800555806.html

Restart Required: Yes

Instructions:

1. Review BMC advisory for specific patch versions. 2. Apply the recommended hotfix from BMC. 3. Restart BMC Remedy services. 4. Verify the fix by testing report creation functionality.

🔧 Temporary Workarounds

Restrict Report Creation Permissions

all

Temporarily remove or restrict 'Create Report' permissions from non-essential users.

Use BMC Remedy administration console to modify user/group permissions for report creation

Network Segmentation

all

Isolate BMC Remedy servers from critical systems to limit lateral movement.

Configure firewall rules to restrict BMC Remedy server network access

🧯 If You Can't Patch

Implement strict access controls: Only grant report creation permissions to absolutely necessary users.
Enable detailed logging and monitoring for report creation activities and unusual system behavior.

🔍 How to Verify

Check if Vulnerable:

Check BMC Remedy version against vulnerable versions listed in the vendor advisory. Review user permissions for report creation rights.

Check Version:

Check BMC Remedy administration console or server logs for version information specific to your installation.

Verify Fix Applied:

Verify the installed patch version matches the fixed version in the advisory. Test report creation functionality to ensure it no longer allows code execution.

📡 Detection & Monitoring

Log Indicators:

Unusual report creation activities, unexpected BIRT template modifications, system command execution in logs

Network Indicators:

Suspicious outbound connections from BMC Remedy servers, unusual traffic patterns

SIEM Query:

source="BMC Remedy" AND (event="Report Created" OR event="Template Modified") AND user NOT IN ["authorized_users"]

📊 Metadata

CVE ID: CVE-2017-17677

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: May 19, 2021

Last Updated: November 21, 2024

🔗 References

http://bmc.com Product
http://remedy.com Product
https://docs.bmc.com/docs/ars91/en/9-1-00-fixes-available-for-remedy-ar-system-security-vulnerabilities-800555806.html Release Notes,Vendor Advisory
https://seclists.org/fulldisclosure/2017/Oct/52 Mailing List,Third Party Advisory
http://bmc.com Product
http://remedy.com Product
https://docs.bmc.com/docs/ars91/en/9-1-00-fixes-available-for-remedy-ar-system-security-vulnerabilities-800555806.html Release Notes,Vendor Advisory
https://seclists.org/fulldisclosure/2017/Oct/52 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17677, you might also want to check these: