cbcvebase.
CVE-2016-1543
published 2016-06-13

CVE-2016-1543: The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to…

PriorityP277high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
71.85%
99.3th percentile
The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and reset arbitrary user passwords by sending an action packet to xmlrpc after an authorization failure.

Affected

11 ranges
VendorProductVersion rangeFixed in
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console
bmcbladelogic_server_automation_console

Detection & IOCsextracted from sources · hover to see the quote

port4750
port4750
urlhttp://<host>:4750/xmlrpc
commandTLSRPC
commandTLS
otherRemoteServer.intro
otherRemoteExec.exec
bytes
\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35\x30\x3b\x30\x3b\x37\x3b
bytes
\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31\x30\x3b\x30\x3b\x37\x3b
bytes
\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34\x31\x30\x30\x30\x30\x30\x30\x30\x30
  • Detect exploit initiation by monitoring for the literal string 'TLS' or 'TLSRPC' sent as the first bytes of a TCP connection to port 4750, followed by an SSL/TLS upgrade — this is the characteristic handshake used by both exploit variants.
  • Detect unauthenticated XMLRPC POST requests to /xmlrpc on port 4750 over a TLS-wrapped raw TCP socket (not standard HTTPS), which is the attack path used by the Python exploit.
  • Alert on XMLRPC action packets containing 'RemoteExec.exec' or 'RemoteServer.intro' XML elements sent to the RSCD agent on port 4750 without prior successful authentication — these are the two XML-RPC calls used to achieve unauthenticated RCE.
  • Monitor for the fixed nexec auth packet byte sequence (starting \x00\x00\x00\x5a) on port 4750 — this is the fake nexec authorization packet sent by the Metasploit module to bypass authentication.
  • Monitor for the fixed agentinfo auth packet byte sequence (starting \x00\x00\x00\x5e) on port 4750 — this is the fake agentinfo authorization packet used for both reconnaissance and exploitation.
  • The exploit sends an action packet to xmlrpc after an authorization failure — detect sequences where an HTTP POST to /xmlrpc follows a failed auth response on the same TCP session to port 4750.
  • Under Windows, watch for RSCD-spawned processes executing commands prefixed with 'cmd /c' as a child of the RSCD agent process, indicating generic command execution via the exploit.
  • ·The exploit upgrades the raw TCP connection to TLS before sending any RSCD protocol data, so network inspection must perform TLS interception on port 4750 to inspect payload content.
  • ·The Python exploit variant uses 'TLSRPC' (6 bytes) as the TLS upgrade trigger, while the Metasploit module uses 'TLS' (3 bytes); signatures must account for both variants.
  • ·Payload bad characters are \x00, \x09, and \x0a — encoded payloads will not contain these bytes, and back slashes are encoded as \xc1\xdc and double quotes as \xc2\x68 in command packets.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.