lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Feb 2020 20:03:32 -0600
From: Ken Williams via Fulldisclosure <>
Subject: [FD] CA20200205-01: Security Notice for CA Unified Infrastructure

Hash: SHA256

CA20200205-01: Security Notice for CA Unified Infrastructure Management

Issued: February 5th, 2020
Last Updated: February 14th, 2020

CA Technologies, A Broadcom Company, is alerting customers to three
vulnerabilities in CA Unified Infrastructure Management (Nimsoft / UIM).
Multiple vulnerabilities exist that can allow an unauthenticated remote
attacker to execute arbitrary code or commands, read from or write to
systems, or conduct denial of service attacks. CA published solutions to
address these vulnerabilities and recommends that all affected customers
implement these solutions.

The first vulnerability, CVE-2020-8010, occurs due to improper ACL
handling. A remote attacker can execute commands, read from, or write to
the target system.

The second vulnerability, CVE-2020-8011, occurs due to a null pointer
dereference. A remote attacker can crash the Controller service.

The third vulnerability, CVE-2020-8012, occurs due to a buffer overflow
vulnerability in the Controller service. A remote attacker can execute
arbitrary code.

Risk Rating

High (cumulative)


All supported robot platforms (i.e. Windows, Linux, Solaris, AIX, and

Affected Products

UIM product versions 9.20 and below are affected. The applicable
component is robot (also known as controller).
The robot versions below 7.97HF8, 9.20HF9 and 9.20SHF9 are affected.

How to determine if the installation is affected

Check for the controller version in IM or AC.  If the version is lower
than 7.97HF8 for UIM 9.0.2, and 9.20HF9 or 9.20SHF9 for UIM 9.2.0, then
it is affected.


CA Technologies published the following solutions to address the

robot_update patches 7.97HF8 (or above), 9.20HF9 (or above), and
9.20SHF9 (or above)

Note: UIM 8.5.1 users must upgrade robot to 7.97HF8.

Hotfixes are available at (url may wrap):


CVE-2020-8010 - CA UIM Probe Improper ACL Handling RCE
CVE-2020-8011 - CA UIM Improper Probe Handling NPD DoS
CVE-2020-8012 - CA UIM nimbuscontroller Buffer Overflow RCE


CVE-2020-8010 - Milton Valencia (wetw0rk), IBM Public Cloud Red Team
CVE-2020-8011 - Milton Valencia (wetw0rk), IBM Public Cloud Red Team
CVE-2020-8012 - Milton Valencia (wetw0rk), IBM Public Cloud Red Team

Change History

Version 1.0: 2020-02-05 - Initial Release
Version 1.1: 2020-02-14 - Clarified "How to determine if installation
is affected" section

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT>

Security Notices, PGP key, disclosure policy, and related guidance can
be found at

Ken Williams
Vulnerability and Incident Response, CA PSIRT
Broadcom | | Kansas City, Missouri, USA
ken.williams <AT> | ca.psirt <AT>

Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective

Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists