lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DM6PR01MB40573C72B7A7D853E30C914BF10F0@DM6PR01MB4057.prod.exchangelabs.com>
Date: Fri, 31 Aug 2018 16:29:58 +0000
From: "Williams, Ken" <Ken.Williams@...com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CA20180829-02: Security Notice for CA Unified Infrastructure
 Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20180829-02: Security Notice for CA Unified Infrastructure Management

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to multiple potential 
risks with CA Unified Infrastructure Management. Multiple 
vulnerabilities exist that can allow an attacker, who has access to 
the network on which CA UIM is running, to run arbitrary CA UIM 
commands on machines where the CA UIM probes are running.  An attacker 
can also gain access to other machines running CA UIM and access the 
filesystems of those machines.

The first vulnerability, CVE-2018-13819, has a medium risk rating and 
concerns a hardcoded secret key, which can allow an attacker to access 
sensitive information.

The second vulnerability, CVE-2018-13820, has a medium risk rating and 
concerns a hardcoded passphrase, which can allow an attacker to access 
sensitive information.

The third vulnerability, CVE-2018-13821, has a high risk rating and 
concerns a lack of authentication, which can allow a remote attacker 
to conduct a variety of attacks, including file reading/writing.


Risk Rating

Cumulative risk rating of High.


Platform(s)

All supported platforms


Affected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7


Unaffected Products

CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the 
solutions listed below applied. 


How to determine if the installation is affected

Review the UIM Vulnerability Patch 1 documentation [1] to determine if 
all appropriate patches have been applied.  Additionally, review 
KB000111575: CA UIM Best Practices For Secure Environments [2] and CA 
UIM Best Practices for Securing Environments to mitigate 
CVE-2018-13821 [3] to ensure that all best practices have been 
implemented.


Solution

Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM 
8.4.7 to resolve these vulnerabilities.  Both solutions, UIM 
Vulnerability Patch 1, and UIM Best Practices for Secure Environments, 
must be implemented to effectively mitigate all three vulnerabilities.

* CA recommends installing UIM Vulnerability Patch 1 [1] to resolve 
CVE-2018-13819 and CVE-2018-13820 as soon as possible.  From the 
download link, select the directory that corresponds to your release 
to access the patch package.

* CA recommends securing the CA UIM deployment using the best 
practices described in KB000111575: CA UIM Best Practices For Secure 
Environments [2] and CA UIM Best Practices for Securing Environments 
to mitigate CVE-2018-13821 [3].

- -OR-

If you feel the best practice recommendations are insufficient for 
your specific security needs, please contact CA Support to install and 
configure the CA UIM Secure Bus 8.01.

Note: While the secured version of the message bus has additional 
security features (e.g. encrypting all UIM traffic from robot to hub), 
the implementation requires additional prerequisites (such as 
requiring user-provided, signed X.509 certificates) and may have 
reduced functionality compared to the standard message bus. 

Customers running any End of Service (EOS) release are strongly 
advised to upgrade to version 8.5.1 and take the remediation actions 
listed above to resolve the vulnerabilities immediately.  

For the most up-to-date information about these CA Unified 
Infrastructure Management vulnerabilities, and for other important 
product information, please see the CA Unified Infrastructure 
Management Support page [4].


References

CVE-2018-13819 - CA UIM hardcoded secret key
CVE-2018-13820 - CA UIM hardcoded passphrase
CVE-2018-13821 - CA UIM lack of authentication
[1] ftp://UIMuser:CnIa24uJ@....ca.com/Important Hotfixes/UIM Vulnerability
Patch 1/
[2]
https://comm.support.ca.com/kb/ca-uim-best-practices-for-secure-environment
s/kb000111575
[3] https://support.ca.com/phpdocs/7/8384/8384-critical-alert-0716-2016.pdf
[4]
https://support.ca.com/us/product-information/ca-unified-infrastructure-man
agement.html

Acknowledgement

CVE-2018-13819 - Oystein Middelthun
CVE-2018-13820 - Oystein Middelthun
CVE-2018-13821 - Oystein Middelthun


Change History

Version 1.0: 2018-08-29 - Initial Release


Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Regards,
Ken Williams
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022


Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022.  All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wsFVAwUBW4lr9LlJjor7ahBNAQiHAQ/+Oa5yOCsJ6MQukur5th1zeMOyvfWE3SWX
UDY44DTe7nN3QwzyYJgBBoegxuR0UuvH1Pkd/9t26KKA7z1HD9jbRI/1TLSyRUjX
TLoMHDmmPybDPA1R3s4F92ix0B8kk0pszpLvtTcTPb8jyfuML9KlqLeKQkB4p7Dq
VuhJkm3hpWzT6ZGDqWxxWEWP5GxZbAbtFa9lyp6fm+HUOVlwo7bqqcLQ1/l4gXJD
AdVF7+/6zwW31X4llCuZbhuzqLOHb4JUbAYQG3AB3+QKHBbLs+FFVpELbnPho9gA
+8ZMtUEkLY0NNYedOZ+24SpMMF1uW9ferLwTHU7vTqDbjJ8Njyzzn3zJzGqUTgnN
9PW1eqwTtEQd2S0w7QFn3Uo+h8AKDjKfM+jSyYIOJ3seazvf7hWsIJgfMtkn69yP
N7leBnQcaIB/Gljd1k5JBGgYP+JkZBfsJToW30w87BM76GoHpqZ6Xirby03WoWEI
OGqlSCc601kQdtmnK3vMcfSIz23BDO+zDZssWMRzcmQ1abZ1BYy2/iPqVaj+60zm
sRr+t3l5n4rHVZ3PXzUQ4YcG1+lW2JEamTUycqvv7ZohRQWtCGtrhY1+8/jAYb8W
DQZiCIilEYpynjRbCVndTB9MU7Kzy/1aDBgceOiaGQ4ajbXnTXkHb2DnCrA524WC
TdSsroSnvLQ=
=5XBW
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ