CVE-2023-34257 – BMC Patrol agents through version 23.1.00 allow... (How to Fix)

Q: What is the severity of CVE-2023-34257?

CVE-2023-34257 has a CVSS score of 9.8 (CRITICAL). BMC Patrol agents through version 23.1.00 allow remote attackers to modify configuration without authentication by default, enabling remote code execution when SNMP-related configuration fields are manipulated and the agent restarts. This affects all systems running vulnerable BMC Patrol agent versions with default configurations. The vendor disputes this as a vulnerability, stating authentication is optional.

📋 TL;DR

BMC Patrol agents through version 23.1.00 allow remote attackers to modify configuration without authentication by default, enabling remote code execution when SNMP-related configuration fields are manipulated and the agent restarts. This affects all systems running vulnerable BMC Patrol agent versions with default configurations. The vendor disputes this as a vulnerability, stating authentication is optional.

💻 Affected Systems

Products:

BMC Patrol Agent

Versions: Through 23.1.00

Operating Systems: All supported platforms (Windows, Linux, Unix variants)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default as authentication is not required. Affects all configurations where the Patrol agent is running with default settings.

📦 What is this software?

Patrol Agent by Bmc

View all CVEs affecting Patrol Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root/administrator privileges, allowing attackers to execute arbitrary code, steal data, deploy ransomware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, or installation of backdoors on affected systems.

🟢

If Mitigated

No impact if authentication is enabled and properly configured, or if vulnerable systems are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet if agent ports are exposed, with no authentication required by default.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this without credentials due to default lack of authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public advisory includes technical details sufficient for exploitation. Attack requires agent restart after configuration modification, which may occur naturally or be forced.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not provided by vendor

Vendor Advisory: Not available - vendor disputes vulnerability

Restart Required: Yes

Instructions:

No official patch. Vendor recommends enabling authentication as a security measure rather than treating this as a vulnerability.

🔧 Temporary Workarounds

Enable authentication for Patrol configuration

all

Configure Patrol agent to require authentication for configuration changes

Consult BMC Patrol documentation for authentication setup specific to your version

Restrict network access to Patrol agent

linux

Block access to Patrol agent ports from untrusted networks

iptables -A INPUT -p tcp --dport [patrol_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [patrol_port] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Patrol agents from untrusted networks
Enable and enforce strong authentication for all Patrol agent configuration access
Monitor for unauthorized configuration changes and agent restarts
Consider replacing with alternative monitoring solutions if vendor support is insufficient

🔍 How to Verify

Check if Vulnerable:

Check if Patrol agent version is 23.1.00 or earlier and if authentication is disabled for configuration access. Test by attempting to modify configuration without credentials.

Check Version:

pconfig -version (on Unix/Linux) or check Patrol agent properties on Windows

Verify Fix Applied:

Verify authentication is required for configuration changes and test that unauthenticated modification attempts fail.

📡 Detection & Monitoring

Log Indicators:

Unauthorized configuration modification attempts in Patrol logs
Unexpected agent restarts
Changes to SNMP-related configuration parameters

Network Indicators:

Unusual connections to Patrol agent ports (default 3181)
Configuration modification traffic without authentication

SIEM Query:

source="patrol_agent" AND (event="config_modification" OR event="agent_restart") AND NOT user="authenticated_user"

📊 Metadata

CVE ID: CVE-2023-34257

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: May 31, 2023

Last Updated: January 10, 2025

🔗 References

https://www.errno.fr/PatrolAdvisory.html#remote-code-excution-using-patrols-pconfig Exploit,Third Party Advisory
https://www.errno.fr/PatrolAdvisory.html#remote-code-excution-using-patrols-pconfig Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON