Security researchers from the Outpost24 SWAT team, Simon Rawet and Kristian Varnai, have identified and reported numerous vulnerabilities in BMC Remedy. The vulnerabilities range from relatively benign to full remote code execution without authentication.
Exploitation of the vulnerabilities requires understanding of the nature of them, but once understood, the exploitation is trivial and can be performed by any attacker. As there are hundreds of portals exposing the vulnerable services, the team is withholding publication of the full disclosure at the moment, as organizations worldwide are open to attack and currently without chance for patch or protection.
BMC Remedy is in most organizations a critical IT system and contains very sensitive information and processes. The vendor has not provided a response regarding patching and has ceased communication with the team. For this reason, this initial publication is made as we have hit the 90 days grace period without any updates.
Customers of BMC Remedy who need more information can reach out via their local Outpost24 contact for further information related to the issues which can be shared under NDA, but the general recommendation is that until a patch is made available by the vendor, the portals are isolated from internet accessibility.
Note that code execution is possible without a login to the system, and without any interaction with any users. It is also possible to achieve code execution as a logged in user. Even if those two vulnerabilities were to be prevented, attackers who are not logged in can still hijack the logging functionalities and thereby steal log data including cookies and HTTP traffic.
This disclosure is made after a 90 day grace period where we have not been able to receive further information or feedback regarding patching, requests for updates has also gone unanswered. Our hope is that this disclosure will create the urgency with the vendor to patch.
Update - Outpost24 is continuing to support BMC Software in their remediation efforts. According to BMC Software CSO, Nick Yoo:
"BMC has been working with Outpost24 to ensure that each of the recently identified vulnerabilities in Remedy is addressed thoroughly. BMC is actively finalizing remediations for the reported issues and will be providing them in a patch as soon as possible. BMC will notify customers as soon as that patch is available. BMC remains committed to security and to staying on top of vulnerability management and threat intelligence. BMC is constantly working to improve application security and incident response policy."