CVE-2023-26550
📋 TL;DR
This SQL injection vulnerability in BMC Control-M allows attackers to execute arbitrary SQL commands via the memname JSON field. Attackers could potentially access, modify, or delete database content. Organizations running vulnerable versions of BMC Control-M are affected.
💻 Affected Systems
- BMC Control-M
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Control-M database leading to data theft, data manipulation, privilege escalation, and potential lateral movement to connected systems.
Likely Case
Unauthorized database access allowing data exfiltration, configuration changes, or service disruption.
If Mitigated
Limited impact due to network segmentation, input validation, and proper access controls preventing successful exploitation.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but SQL injection is a well-understood attack vector with available tooling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.20.214 or later
Vendor Advisory: https://www.bmc.com/it-solutions/control-m.html
Restart Required: Yes
Instructions:
1. Download patch 9.0.20.214 or later from BMC support portal. 2. Backup current configuration and database. 3. Apply patch following BMC's installation guide. 4. Restart Control-M services. 5. Verify successful update.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or input validation to filter SQL injection patterns in JSON input
WAF rule: Detect and block SQL injection patterns in JSON payloads
Network Segmentation
allRestrict access to Control-M application server to authorized users only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port port="CONTROL_M_PORT" protocol="tcp" accept'
netsh advfirewall firewall add rule name="Control-M Access" dir=in action=allow protocol=TCP localport=CONTROL_M_PORT remoteip=TRUSTED_IP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Control-M application server
- Deploy a web application firewall with SQL injection detection rules specifically for JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check Control-M version via web interface or command line. If version is below 9.0.20.214, system is vulnerable.Check Version:
On Control-M server: ctmadmin -version or check web interface administration panelVerify Fix Applied:
Verify version is 9.0.20.214 or higher and test SQL injection attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Failed login attempts with SQL injection patterns
- JSON payloads containing SQL keywords in memname field
Network Indicators:
- Unusual database connections from Control-M server
- HTTP requests with SQL injection patterns in JSON payloads
SIEM Query:
source="control-m" AND (memname CONTAINS "SELECT" OR memname CONTAINS "UNION" OR memname CONTAINS "INSERT" OR memname CONTAINS "DELETE")