lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2020 16:54:11 -0600
From: Ken Williams via Fulldisclosure <>
Subject: [FD] CA20201116-01: Security Notice for CA Unified Infrastructure

Hash: SHA256

CA20201116-01: Security Notice for CA Unified Infrastructure Management

Issued: November 16th, 2020
Last Updated: November 16th, 2020

CA Technologies, A Broadcom Company, is alerting customers to a
vulnerability in CA Unified Infrastructure Management. A vulnerability
exists that can allow a local attacker to elevate privileges. CA
published solutions to address this vulnerability and recommends that
all affected customers implement these solutions.

The vulnerability, CVE-2020-28421, occurs due to improper access
control.  A local attacker can potentially elevate privileges.

Risk Rating

CVE-2020-28421 - High


Microsoft Windows

Affected Products

CA Unified Infrastructure Management 20.1
CA Unified Infrastructure Management 9.2.0
CA Unified Infrastructure Management 9.1.0
CA Unified Infrastructure Management 9.0.2
Note: older, unsupported versions may be affected

Affected Components

The applicable component is robot (also known as controller).
Affected robot versions:
before 7.97HF11
before 9.20HF20
before 9.20SHF20 (secure)
before 9.30HF4
before 9.30SHF4 (secure)

Non-Affected Products

CA Unified Infrastructure Management 20.3

Non-Affected Components

Non-affected robot versions:
7.97HF11 or later
9.20HF20 or later
9.20SHF20 (secure) or later
9.30HF4 or later
9.30SHF4 (secure) or later

How to determine if the installation is affected

Check for the controller version in Infrastructure Manager or Admin
Console.  If the version is lower than 7.97HF11 for UIM 9.0.2,
9.20HF20 or 9.20SHF20 for UIM 9.2.0, 9.30HF4 or 9.30SHF4 for UIM 20.1,
then it is affected.


CA Technologies published the following solutions to address the

robot_update patches 7.97HF11 (or above), 9.20HF20 (or above) and
9.30HF4 (or above).

robot_update_secure patches 9.20SHF20 (or above) and 9.30SHF4 (or above).

Note: UIM 8.5.1 users must upgrade robot to 7.97HF11. UIM
9.1.0 users must upgrade robot to 9.20HF20 (or above).

Hotfixes are available at:


CVE-2020-28421 – CA UIM improper access control privilege elevation


CVE-2020-28421 – Fabius Artrel

Change History

Version 1.0: 2020-11-16 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.

Customers who require additional information about this notice may
contact CA Technologies Support at

To report a suspected vulnerability in a CA Technologies product,
please send a summary to the CA Technologies Product Vulnerability
Response Team at ca.psirt <AT>

Security Notices, PGP key, disclosure policy, and related guidance can
be found at:

Ken Williams
Vulnerability and Incident Response, CA PSIRT
Broadcom | | Kansas City, Missouri, USA
ken.williams <AT> | ca.psirt <AT>

Copyright (c) 2020 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade names,
service marks and logos referenced herein belong to their respective

Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4168 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists