cbcvebase.
CVE-2016-1542
published 2016-06-13

CVE-2016-1542: The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass…

PriorityP274high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.62%
99.4th percentile
The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.

Affected

11 ranges
VendorProductVersion rangeFixed in
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console

Detection & IOCsextracted from sources · hover to see the quote

port4750
port4750
urlhttp://<host>:4750/xmlrpc
commandTLSRPC
commandTLS
otherRemoteServer.intro
otherRemoteExec.exec
bytes
\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35\x30\x3b\x30\x3b\x37\x3b
bytes
\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31\x30\x3b\x30\x3b\x37\x3b
bytes
\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34\x31\x30\x30\x30\x30\x30\x30\x30\x30
  • Detect exploit initiation by monitoring for the literal string 'TLSRPC' or 'TLS' sent as the first bytes of a TCP connection to port 4750, followed by an SSL/TLS upgrade — this is the protocol handshake used by both exploit variants to initiate the RSCD agent session.
  • Detect POST requests to the path '/xmlrpc' on port 4750 over a TLS-wrapped plain TCP socket (not standard HTTPS), which is the XMLRPC exploitation channel for CVE-2016-1542.
  • Alert on inbound connections to TCP port 4750 from untrusted/external sources; the RSCD agent listens on this port and the authorization bypass is triggered by sending an action packet to xmlrpc after an authorization failure.
  • Look for the fake agentinfo auth packet byte pattern (starting \x00\x00\x00\x5e) or the fake nexec auth packet (starting \x00\x00\x00\x5a) on port 4750 as indicators of active exploitation attempts.
  • Monitor for XML-RPC payloads containing 'RemoteServer.intro' or 'RemoteExec.exec' method names sent to the RSCD agent, as these are the specific RPC calls used to authenticate and execute commands without authorization.
  • The Metasploit module uses BadChars '\x00\x09\x0a' in payloads; monitor for binary command execution packets on port 4750 that contain the nexec finish sequence bytes (\x00\x00\x00\x22 prefix block).
  • ·The exploit upgrades the TCP connection to TLS using SSLv23 with VERIFY_NONE and ALL ciphers before sending any exploit packets; network inspection must perform TLS interception on port 4750 to inspect payload content.
  • ·Under Windows targets, non-PowerShell commands are automatically prefixed with 'cmd /c' by the exploit module, so process monitoring should account for both direct command execution and cmd.exe-spawned child processes.
  • ·The fake auth packets include 7 bytes of random alpha text (rand_text_alpha(7)) at two positions, meaning byte-for-byte signature matching of the full auth packet will miss exploit attempts; match only the fixed prefix portions.
  • ·The vulnerability affects BMC BSA versions 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX; Windows hosts are also targeted by the Metasploit module via the same RSCD agent port.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.