CVE-2019-16755
📋 TL;DR
CVE-2019-16755 is a critical vulnerability in BMC Remedy ITSM Suite that allows remote attackers to execute arbitrary commands on the underlying operating system without authentication. This affects both DWP and SmartIT components across multiple versions. Organizations using affected versions are at risk of complete system compromise.
💻 Affected Systems
- BMC Remedy ITSM Suite DWP
- BMC Remedy ITSM Suite SmartIT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, data exfiltration, ransomware deployment, lateral movement across the network, and persistent backdoor installation.
Likely Case
Initial foothold leading to privilege escalation, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Limited impact due to network segmentation, strict firewall rules, and proper access controls preventing exploitation attempts.
🎯 Exploit Status
Exploitation requires no authentication and has been weaponized in real attacks. The CWE-502 (Deserialization of Untrusted Data) suggests the attack vector involves malicious serialized objects.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DWP: 19.08.01 and later; SmartIT: 19.08 and later
Vendor Advisory: https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA21O000000gnYQSAY&type=Solution
Restart Required: Yes
Instructions:
1. Download the appropriate patch from BMC support portal. 2. Apply the patch following BMC's installation guide. 3. Restart the affected services. 4. Verify the patch installation through version checks.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to BMC Remedy ITSM Suite to only trusted IP addresses and internal networks.
Web Application Firewall Rules
allImplement WAF rules to block suspicious serialized object patterns and command injection attempts.
🧯 If You Can't Patch
- Immediately isolate affected systems from internet access and restrict to internal network only
- Implement strict network segmentation and monitor all traffic to/from BMC Remedy systems
🔍 How to Verify
Check if Vulnerable:
Check the installed version of BMC Remedy ITSM Suite DWP and SmartIT components against affected version ranges.Check Version:
Check BMC Remedy administration console or consult system documentation for version informationVerify Fix Applied:
Verify that DWP version is 19.08.01 or higher and SmartIT version is 19.08 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from BMC Remedy services
- Suspicious command execution patterns in system logs
- Unexpected network connections from BMC Remedy hosts
Network Indicators:
- HTTP requests containing serialized objects to BMC Remedy endpoints
- Outbound connections from BMC Remedy servers to unknown external IPs
SIEM Query:
source="bmc_remedy_logs" AND (process_name="cmd.exe" OR process_name="powershell.exe" OR process_name="/bin/sh")