CVE-2016-6599 : BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService)

BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.

Published 2018-01-30 20:29:00

Updated 2018-02-26 20:05:30

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2016-6599

Probability of exploitation activity in the next 30 days: 0.52%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-6599

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-6599

CWE-255

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6599

http://seclists.org/fulldisclosure/2018/Jan/92

Full Disclosure: [CVE-2016-6598/9]: RCE and admin cred disclosure in BMC Track-It! 11.4
Exploit;Mailing List;Technical Description;Third Party Advisory

CVEs referencing this url
https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015

Track-It!: Track-It! Security Advisory [24-Dec-... | BMC Communities
Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/146110/BMC-Track-It-11.4-Code-Execution-Information-Disclosure.html

BMC Track-It! 11.4 Code Execution / Information Disclosure ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

CVEs referencing this url
https://github.com/pedrib/PoC/blob/master/advisories/bmc-track-it-11.4.txt

PoC/bmc-track-it-11.4.txt at master · pedrib/PoC · GitHub
Exploit;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2016-6599

BMC » Track-it!
Versions up to, including, (<=) 11.4
cpe:2.3:a:bmc:track-it\!:*:*:*:*:*:*:*:*
Matching versions
BMC » Track-it! » Version: 11.4 Update HF1
cpe:2.3:a:bmc:track-it\!:11.4:hf1:*:*:*:*:*:*
Matching versions
BMC » Track-it! » Version: 11.4 Update HF2
cpe:2.3:a:bmc:track-it\!:11.4:hf2:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-6599

Exploit prediction scoring system (EPSS) score for CVE-2016-6599

CVSS scores for CVE-2016-6599

CWE ids for CVE-2016-6599

References for CVE-2016-6599

Products affected by CVE-2016-6599