search cancel

APM .NET Agent PerfMonCollectorAgent At least one improperly configured Windows service may have a privilege escalation vulnerability

book

Article ID: 243282

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

In case the following vulnerability is detected in your environment.

Plugin Output: 
Path : e:\caapm\wily\bin\perfmoncollectoragent.exe
Used by services: PerfMonCollectorAgent

Synopsis:

At least one improperly configured Windows service may have a privilege escalation vulnerability.

Vulnerability Description:

At least one Windows service executable with insecure permissions was detected on the remote host. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as this could result in privilege escalation.

Cause

In fact, the performance collector agent service is using a local system account, and only authorized and system users have to write/modify permissions on perfmoncollectoragent.exe with the default .NET agent installation. 

Environment

APM 10.7
.Net Agent all versions

Resolution

By default, the local system account has full control of the wily folder in the .NET Agent installation. For the perfmon collector to function properly, the local system account should have at least read, write, modify and execute permissions for the wily folders and the files under it.  In order to allow the .Net agent to run smoothly, please check if your security policy has any restrictions or specific rules against this.

Additional Information

The following KB can also be useful when troubleshooting other similar issues in general:

APM - DotNET Agent will not connect to the Introscope Enterprise Manager
https://knowledge.broadcom.com/external/article?articleId=214106

APM Introscope .NET Agent - Troubleshooting and Best Practices
https://knowledge.broadcom.com/external/article/111638/apm-introscope-net-agent-troubleshootin.html