CVE-2025-55111

BMC Control-M/Agent insecure default SSL/TLS file permissions

Severity: Medium (5.5)

Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL/TLS files, keystore and policies. An attacker with local access to the system running the Agent can access these files.

Determine which Control-M/Agents use SSL/TLS communication with Control-M/Server:

1. Open the Control-M Configuration Manager (CCM)
2. If the SSL column is not currently showing, right click on any column header and select "Column chooser"
3. From the Column chooser dialog, drag the "SSL" column into the columns view.
4. Select each Control-M/Server in the tree on the left to view the Control-M/Agents in the middle pane
5. In the "Type" column header, set the filter to "Control-M Agent"
6. Sort by the SSL column and any Agents with SSL set to "Enabled" will need to be handled below
7. To create a file with this list of Agents, select the dropdown on the top left next to Home, then select Exports List

Primary Solution:

1. Upgrade to a fully supported version of Control-M/Agent (if not on a supported version).
   Recommend the latest major version and Fix Pack available
2. As the Agent user, run the following command on each Unix/Linux Agent with SSL/TLS enabled:
   $CONTROLM/toolbox/permission_check.sh
3. If the check finds any problems, run the command:
   $CONTROLM/toolbox/permission_check.sh --force

Alternate Solution when unable to upgrade yet:

1. For all Unix/Linux Agents with SSL/TLS enabled, determine the communication mode (Persistent vs Transient).
   Run the following command as the Agent user:
   ag_diag_comm | grep "Server-Agent Connection mode"
2. Determine which OS users need access to SSL/TLS files, based on the Agent mode returned from the previous step.
   • Transient:
     The Agent user needs access, and additionally users who run Agent utilities also need some access.
   • Transient (by Java):
     Only the Agent user needs access to SSL/TLS files.
   • Persistent:
     Only the Agent user needs access to SSL/TLS files.
3. Update file authorizations.
   Please consult your Unix/Linux System Administrator for assistance to verify and change permissions as needed.
   • $CONTROLM/data/SSL/cert
     • Read/Write permissions are required by the Agent user to the files in this folder.
     • Read permissions are required by any additional users which use Agent utilities to the files in this folder.
   • $CONTRLOM/data/PASSWRDS.dat
     • Read/Write permissions are required to change the passwords in the local Agent password repository with the ctmpwd utility.
     • Read permissions are required to access the passwords in the local Agent password repository (for example, when the user starts up the Agent on UNIX/Linux with the start-ag command).
   • $CONTROLM/data/keys/local.key
     • Read/Write permissions are required to change the key with the ctmagcpk utility.
     • Read permissions are required to change passwords in the local Agent password repository with the ctmpwd utility.
     • Read permissions are required to execute Agent utilities in Helix Control-M.
     • Read permissions are required to execute the ctmgetccp utility.
   • $CONTROLM/data/keys/ctm_key.txt
     • Read permissions are required for an Agent user only.
   • $CONTROLM/data/JAVACONF.dat
     • Read permissions are required for an Agent user only.