ATREDIS-2018-0008: IBM BigFix Relay Information Exposure
Improper Access Control
- BigFix (all current versions, including 9.5.11 and previous)
BigFix, part of the Tivoli Endpoint Manager suite, is used by IT organizations to deploy packages, push changes, and generally manage fleets of laptops, desktops, servers, and mobile devices. The BigFix architecture allows any BigFix client system to act as a Relay to the BigFix server. BigFix Relay services expose a subset of the functionality of the BigFix Server to any client that can speak to the TCP service on port 52311. Atredis Partners identified a common misconfiguration where BigFix Relay services are exposed to the internet without authentication, which in turn exposes sensitive internal data to unauthenticated external attackers.
Configure BigFix to use Relay Authentication. Alternatively, disable internet access to the BigFix environment by blocking TCP 52311 at the firewall and allow external device access through a VPN connection. Ensure that sensitive content, such as passwords, are never deployed through BigFix.
This vulnerability was found by HD Moore, Ryan Hanson, and Chris Bellows of Atredis Partners.
- 2018-12-17: Atredis Partners sent vulnerability details to the BigFix product team
- 2019-01-31: The BigFix team provides a link to the Relay Best Practices document
- 2019-01-31: Atredis Partners sent vulnerability details to CERT/CC
- 2019-02-12: CERT/CC confirms contact with the Bigfix team and allocates VU#469957
- 2019-03-18: Atredis Partners publishes this advisory
BigFix clients communicate with BigFix Servers and BigFix Relay services using a HTTP transport over TCP port 52311. This transport is typically encrypted using TLS (SSL). BigFix allows unauthenticated users to query available packages, download package data, register as a new client, and generally interact with the BigFix platform. A BigFix Relay acts as a proxy for a BigFix server, allowing users to perform many of the same actions possible if communicating directly with a BigFix server.
A common and documented configuration of large BigFix environments is to place a BigFix Relay in the network DMZ and expose access to the BigFix Relay service to the internet. This allows devices that are outside the firewall to register, receive updates, and be managed through the BigFix Server without the use of a VPN. This configuration exposes sensitive information about the corporate environment:
Licensing information for the BigFix installation (including email address).
Exact versions of the software and security updates deployed to BigFix clients.
Index of BigFix Sites as configured by the administrator.
Custom packages developed in-house that may contain sensitive configuration data.
Custom packages containing hardcoded credentials.
The internal hostname and domain name of the BigFix Server.
The ComputerID of the BigFix Relay system.
Licensing and BigFix version information can be obtained by requesting the masthead URL:
A full index of configured Sites can be obtained via the URL:
Package names and versions (including custom package information) can be obtained by requesting the BESMirror URL:
The mirror request URL will return a list of packages with the following format:
Action: 21421 url 1: http://[BigFixServer.Corporate.Example]:52311/Desktop/CreateLocalAdmin.ps1 url 2: http://[BigFixServer.Corporate.Example]:52311/Desktop/SetBIOSPassword.ps1
In order to download package contents from a Relay, the package must first be refreshed in the mirror cache. This can be accomplished by requesting URL ID "0" of the Action ID in the URL:
Once the data has been cached, individual sub-URLs may be downloaded by ID:
The BigFix ComputerID, which is used to send and receive messages via the Mailbox API, can be obtained from a BigFix Relay or Client via the TLS certificate "Common Name" field. An attacker with direct access to the BigFix Server can use this ID to retrieve the pending message queue for a given client.
Atredis Partners conducted a survey of public IPv4 space to determine the scope and impact of this issue.
Of the approximately 3.7 billion routable IPv4 addresses, 1,458 valid BigFix Relays were found to be exposed.
These systems were easily identified via the masthead response, which indicates the organization and licensee of the BigFix installation.
The organizations identified included numerous government organizations, large multinational corporations, health care providers, universities, insurers, major retailers, and financial service providers, along with a healthy number of technology firms.
A light review of published package names identified hundreds of potentially sensitive packages, including PowerShell and Batch files that appeared to create new user accounts, join client machines to an active directory domain, or set default credentials for various services used by the organization.
A review of the BigFix version numbers demonstrated that the majority of exposed relays ran BigFix 126.96.36.199, 188.8.131.52, or 184.108.40.206.