CVE-2020-35593: 
BMC Patrol Agent vulnerability analysis and mitigation

BMC PATROL Agent through version 20.08.00 contains a local privilege escalation vulnerability (CVE-2020-35593) that allows attackers to escalate privileges via vectors involving pconfig +RESTART -host command. The vulnerability was discovered and disclosed in late 2020 (NVD, Securifera).

The vulnerability exists due to the PatrolAgent service executing 'cmd /c bootime' without specifying an absolute path when the service starts. Since the application doesn't specify an extension, attackers can place a malicious file named 'boottime.bat' in a writable folder that appears earlier in the PATH search order. When combined with the ability to restart the service remotely using 'pconfig +RESTART -host' without authentication, this allows for privilege escalation. The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

A successful exploitation of this vulnerability allows an attacker with local access to escalate privileges to SYSTEM level on the affected system. On domain controllers, this can lead to complete domain compromise, effectively allowing a domain user to gain domain admin privileges (Securifera).

The vulnerability has been patched by BMC. Organizations should upgrade to a version newer than 20.08.00. Additionally, organizations should review their PATH environment variables and ensure that no world-writable directories are included in the PATH, especially before system directories (Securifera).