Detections
Analytics

HCL BigFix Remote Control <= 10.1.0.0442 Multiple Vulnerabilities

high Nessus Plugin ID 318683

Synopsis

An application running on the remote host is affected by multiple vulnerabilities.

Description

The version of HCL BigFix Remote Control running on the remote host is 10.1.0.0442 or earlier. It is, therefore, affected by multiple vulnerabilities:

 - A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. (CVE-2026-21785)

 - Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. (CVE-2026-33870)

 - Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. (CVE-2026-33871)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to HCL BigFix Remote Control 10.1 Fix Pack 5 or later.

See Also

http://www.nessus.org/u?cac5396a

Plugin Details

Severity: High

ID: 318683

File Name: hcl_bigfix_remote_control_kb0130581.nasl

Version: 1.1

Type: Remote

Family: CGI abuses

Published: 6/4/2026

Updated: 6/4/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-33870

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_remote_control, cpe:/a:ibm:bigfix_remote_control

Required KB Items: installed_sw/IBM BigFix Remote Control

Patch Publication Date: 5/27/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-21785, CVE-2026-33870, CVE-2026-33871

CWE: 1021, 444, 770