[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DM6PR01MB40573C72B7A7D853E30C914BF10F0@DM6PR01MB4057.prod.exchangelabs.com>
Date: Fri, 31 Aug 2018 16:29:58 +0000
From: "Williams, Ken" <Ken.Williams@...com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CA20180829-02: Security Notice for CA Unified Infrastructure
Management
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CA20180829-02: Security Notice for CA Unified Infrastructure Management
Issued: August 29, 2018
Last Updated: August 29, 2018
CA Technologies Support is alerting customers to multiple potential
risks with CA Unified Infrastructure Management. Multiple
vulnerabilities exist that can allow an attacker, who has access to
the network on which CA UIM is running, to run arbitrary CA UIM
commands on machines where the CA UIM probes are running. An attacker
can also gain access to other machines running CA UIM and access the
filesystems of those machines.
The first vulnerability, CVE-2018-13819, has a medium risk rating and
concerns a hardcoded secret key, which can allow an attacker to access
sensitive information.
The second vulnerability, CVE-2018-13820, has a medium risk rating and
concerns a hardcoded passphrase, which can allow an attacker to access
sensitive information.
The third vulnerability, CVE-2018-13821, has a high risk rating and
concerns a lack of authentication, which can allow a remote attacker
to conduct a variety of attacks, including file reading/writing.
Risk Rating
Cumulative risk rating of High.
Platform(s)
All supported platforms
Affected Products
CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7
Unaffected Products
CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the
solutions listed below applied.
How to determine if the installation is affected
Review the UIM Vulnerability Patch 1 documentation [1] to determine if
all appropriate patches have been applied. Additionally, review
KB000111575: CA UIM Best Practices For Secure Environments [2] and CA
UIM Best Practices for Securing Environments to mitigate
CVE-2018-13821 [3] to ensure that all best practices have been
implemented.
Solution
Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM
8.4.7 to resolve these vulnerabilities. Both solutions, UIM
Vulnerability Patch 1, and UIM Best Practices for Secure Environments,
must be implemented to effectively mitigate all three vulnerabilities.
* CA recommends installing UIM Vulnerability Patch 1 [1] to resolve
CVE-2018-13819 and CVE-2018-13820 as soon as possible. From the
download link, select the directory that corresponds to your release
to access the patch package.
* CA recommends securing the CA UIM deployment using the best
practices described in KB000111575: CA UIM Best Practices For Secure
Environments [2] and CA UIM Best Practices for Securing Environments
to mitigate CVE-2018-13821 [3].
- -OR-
If you feel the best practice recommendations are insufficient for
your specific security needs, please contact CA Support to install and
configure the CA UIM Secure Bus 8.01.
Note: While the secured version of the message bus has additional
security features (e.g. encrypting all UIM traffic from robot to hub),
the implementation requires additional prerequisites (such as
requiring user-provided, signed X.509 certificates) and may have
reduced functionality compared to the standard message bus.
Customers running any End of Service (EOS) release are strongly
advised to upgrade to version 8.5.1 and take the remediation actions
listed above to resolve the vulnerabilities immediately.
For the most up-to-date information about these CA Unified
Infrastructure Management vulnerabilities, and for other important
product information, please see the CA Unified Infrastructure
Management Support page [4].
References
CVE-2018-13819 - CA UIM hardcoded secret key
CVE-2018-13820 - CA UIM hardcoded passphrase
CVE-2018-13821 - CA UIM lack of authentication
[1] ftp://UIMuser:CnIa24uJ@....ca.com/Important Hotfixes/UIM Vulnerability
Patch 1/
[2]
https://comm.support.ca.com/kb/ca-uim-best-practices-for-secure-environment
s/kb000111575
[3] https://support.ca.com/phpdocs/7/8384/8384-critical-alert-0716-2016.pdf
[4]
https://support.ca.com/us/product-information/ca-unified-infrastructure-man
agement.html
Acknowledgement
CVE-2018-13819 - Oystein Middelthun
CVE-2018-13820 - Oystein Middelthun
CVE-2018-13821 - Oystein Middelthun
Change History
Version 1.0: 2018-08-29 - Initial Release
Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Regards,
Ken Williams
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022
Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8
wsFVAwUBW4lr9LlJjor7ahBNAQiHAQ/+Oa5yOCsJ6MQukur5th1zeMOyvfWE3SWX
UDY44DTe7nN3QwzyYJgBBoegxuR0UuvH1Pkd/9t26KKA7z1HD9jbRI/1TLSyRUjX
TLoMHDmmPybDPA1R3s4F92ix0B8kk0pszpLvtTcTPb8jyfuML9KlqLeKQkB4p7Dq
VuhJkm3hpWzT6ZGDqWxxWEWP5GxZbAbtFa9lyp6fm+HUOVlwo7bqqcLQ1/l4gXJD
AdVF7+/6zwW31X4llCuZbhuzqLOHb4JUbAYQG3AB3+QKHBbLs+FFVpELbnPho9gA
+8ZMtUEkLY0NNYedOZ+24SpMMF1uW9ferLwTHU7vTqDbjJ8Njyzzn3zJzGqUTgnN
9PW1eqwTtEQd2S0w7QFn3Uo+h8AKDjKfM+jSyYIOJ3seazvf7hWsIJgfMtkn69yP
N7leBnQcaIB/Gljd1k5JBGgYP+JkZBfsJToW30w87BM76GoHpqZ6Xirby03WoWEI
OGqlSCc601kQdtmnK3vMcfSIz23BDO+zDZssWMRzcmQ1abZ1BYy2/iPqVaj+60zm
sRr+t3l5n4rHVZ3PXzUQ4YcG1+lW2JEamTUycqvv7ZohRQWtCGtrhY1+8/jAYb8W
DQZiCIilEYpynjRbCVndTB9MU7Kzy/1aDBgceOiaGQ4ajbXnTXkHb2DnCrA524WC
TdSsroSnvLQ=
=5XBW
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists