CVE-2023-34258: 
NixOS vulnerability analysis and mitigation

An issue was discovered in BMC Patrol before version 22.1.00 that allows remote querying of the agent's configuration. The vulnerability (CVE-2023-34258) was disclosed on May 31, 2023. The configuration contains the Patrol account password, which is encrypted with a default AES key, making it susceptible to decryption. This vulnerability affects all BMC Patrol installations prior to version 22.1.00 (NVD, Errno Advisory).

The vulnerability allows attackers to remotely query the configuration using the pconfig binary. The configuration contains an encrypted Patrol account password that uses a known default encryption key in versions before 22.1.00. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (NVD).

A successful exploitation of this vulnerability allows attackers to decrypt the Patrol account password, which can then be used to achieve remote code execution on the affected system. This compromises the confidentiality of the system and potentially enables further unauthorized access (Errno Advisory).

The vulnerability has been fixed in BMC Patrol version 22.1.00 and later by diversifying the encryption key. Organizations using affected versions should upgrade to version 22.1.00 or later to mitigate this vulnerability (Errno Advisory).