ID CVE-2016-6599
Summary BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010. This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
References
Vulnerable Configurations
  • cpe:2.3:a:bmc:track-it\!:11.4:*:*:*:*:*:*:*
    cpe:2.3:a:bmc:track-it\!:11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:bmc:track-it\!:11.4:hf1:*:*:*:*:*:*
    cpe:2.3:a:bmc:track-it\!:11.4:hf1:*:*:*:*:*:*
  • cpe:2.3:a:bmc:track-it\!:11.4:hf2:*:*:*:*:*:*
    cpe:2.3:a:bmc:track-it\!:11.4:hf2:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 26-02-2018 - 20:05)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
confirm https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2016/01/04/track-it-security-advisory-24-dec-2015
fulldisc 20180126 [CVE-2016-6598/9]: RCE and admin cred disclosure in BMC Track-It! 11.4
misc
Last major update 26-02-2018 - 20:05
Published 30-01-2018 - 20:29
Last modified 26-02-2018 - 20:05
Back to Top