Full Report
BMC makes a number of mainframe-focused applications, one of which is Control-D. Control-D is a “Report Distribution system for distributed and mainframe platforms”. This blog post describes an authentication bypass vulnerability that was found, allowing access to restricted reports. To make mainframe-based reports accessible outside the mainframe, and to avoid having to create mainframe accounts for every report consumer, BMC provides a web application, making the reports available via a browser.
Analysis Summary
# Vulnerability: BMC Control-D WebAccess Authentication Bypass
## CVE Details
- CVE ID: Not explicitly listed in the article. (Note: Though not assigned externally in the summary, this is a known flaw addressed by BMC.)
- CVSS Score: Not provided in the article.
- CWE: CWE-287: Improper Authentication (Inferred based on bypass)
## Affected Systems
- Products: BMC Control-D WebAccess Server
- Versions: All versions up to and including 9.0.18. (Specifically noted in version 3.1.04 prior to the fix).
- Configurations: Systems using IIS-based integrated authentication (Basic or Integrated NTLM/Kerberos) where the web application relies on environment variables passed by IIS to the `bmc-ctd-wa-cgi.exe` application.
## Vulnerability Description
The vulnerability resides in how the Control-D WebAccess Server CGI application (`bmc-ctd-wa-cgi.exe`) processes user authentication information passed via environment variables (specifically `REMOTE_USER`) set by the front-end web server (IIS). An attacker who can establish a direct connection to the backend Control-D service listening on TCP port **7777** can bypass the authentication layer entirely. By crafting requests that mimic the protocol expected by the CGI (facilitated by controlling the `REMOTE_USER` environment variable—achievable via direct service interaction or manipulating the CGI execution context), an attacker can impersonate an authenticated user and gain access to restricted reports.
## Exploitation
- Status: PoC available (The researcher detailed the steps to achieve local exploitation by manipulating the CGI execution environment).
- Complexity: Medium (Requires finding and understanding the binary protocol used between the CGI and the service on port 7777, and potentially finding the correct version of the CGI binary that reads the `REMOTE_USER` variable).
- Attack Vector: Network (If port 7777 is externally exposed) or Adjacent/Local (If the attacker can execute code or interact with the local service endpoint).
## Impact
- Confidentiality: High (Access to potentially restricted reports).
- Integrity: Low (Primarily an access/read flaw).
- Availability: Low (No direct impact on availability described).
## Remediation
### Patches
BMC has released fixes for the following releases:
- Control-D/WebAccess Server release **9.0.19** (The general fix release).
- Patches for supported releases:
- **9.0.00**: DRNBO.9.0.00.021
- **9.0.18**: DRNBO.9.0.18.008
Fixes are available for all supported platforms (Windows, Linux X64, AIX, Oracle Solaris).
### Workarounds
No specific temporary workarounds were detailed in the article, apart from ensuring firewall rules prevent direct external access to port 7777.
## Detection
- Indicators of Compromise: Unusual traffic or connections originating directly to port **7777** on the Control-D application server, bypassing the front-end IIS server configuration, or unexpected execution of `bmc-ctd-wa-cgi.exe` outside of the normal web request flow.
- Detection Methods and Tools: Network monitoring tools flagging unauthorized TCP connections to port 7777.
## References
- Vendor Advisory: CTM-1436 (For details on the fix within Control-D WebAccess Server docs)
- Research Blog: hxxps://sensepost.com/blog/bypassing-access-control-in-bmc-control-d-report-viewer