CVE-2018-20735

high-risk

Published 2019-01-17

An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

Do I need to act?

38.0% chance of exploitation in next 30 days

EPSS score — higher than 62% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

46556

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (1)

Patrol Agent

Affected Vendors

Bmc

References (4)

Exploit https://www.exploit-db.com/exploits/46556/

Exploit https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domai...

Exploit https://www.exploit-db.com/exploits/46556/

Exploit https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domai...

/ 100

high-risk

Severity 24/34 · High

Exploitability 23/34 · High

Exposure 5/34 · Minimal