Potentially Malicious Libraries Loaded by Control-M Could Lead to Privilege Escalation
CVE-2024-1605

6.6MEDIUM

Key Information:

Vendor: Bmc
Status: Control-m
Vendor: CVE Published:; 18 March 2024

What is CVE-2024-1605?

BMC Control-M versions 9.0.20 and 9.0.21 have a vulnerability where user login allows the loading of Dynamic Link Libraries (DLLs) from a directory with open Read and Write permissions. This design flaw can be exploited to load a malicious library that executes with the privileges of the application, potentially compromising the integrity and security of the system.

Affected Version(s)

Control-M 9.0.20 < 9.0.20.238

Control-M 9.0.21 < 9.0.21.201

References

https://cert.pl/posts/2024/03/CVE-2024-1604

third-party-advisory

https://cert.pl/en/posts/2024/03/CVE-2024-1604

third-party-advisory

https://www.bmc.com/it-solutions/control-m.html

product

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Feb 18, 2024

Credit

Maksymilian Kubiak [Afine Team]

Dawid Małecki [Afine Team]

JSON