AE v12.3.6 HF2 includes a fix for a bug related to the Service Manager

A security issue has been fixed between the Automation Engine and the Servicemanager. (AE-26648)

What is the impact of this bug?

Release : 12.3.6 

Component : Automation Engine

This problem came in picture when client ran penetration tests on Service Manager 12.3.3 (and 12.2.2) and figured out how the AE does the authentication for the connection to the Service Manager: it uses a undocumented password parameter with a timestamp value.

This can be done by the user directly by using a timestamp via CLI as well:

UCYBSMCl.exe -c GET_PROCESS_LIST -h FE0VM1134 -n AE12EUP5 -p $((GetDate).ToUniversalTime().ToString("yyyMMdd$([char]0x01)HHmmss"))

So the user can basically authenticate without a password.

To change this behavior/security hole we would have to adapt the SMGR, AE, and provide a way to manage passwords. Its resolved in AE-26648.