CA20180829-02: Security Notice for CA Unified Infrastructure Management
1854
28 February 2021
29 August 2018
OPEN
Issued: August 29, 2018
Last Updated: August 29, 2018
CA Technologies Support is alerting customers to multiple potential risks with CA Unified Infrastructure Management. Multiple vulnerabilities exist that can allow an attacker, who has access to the network on which CA UIM is running, to run arbitrary CA UIM commands on machines where the CA UIM probes are running. An attacker can also gain access to other machines running CA UIM and access the filesystems of those machines.
The first vulnerability, CVE-2018-13819, has a medium risk rating and concerns a hardcoded secret key, which can allow an attacker to access sensitive information.
The second vulnerability, CVE-2018-13820, has a medium risk rating and concerns a hardcoded passphrase, which can allow an attacker to access sensitive information.
The third vulnerability, CVE-2018-13821, has a high risk rating and concerns a lack of authentication, which can allow a remote attacker to conduct a variety of attacks, including file reading/writing.
Risk Rating
Cumulative risk rating of High.
Platform(s)
All supported platforms
Affected Products
CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7
Unaffected Products
CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the solutions listed below applied.
How to determine if the installation is affected
Review the UIM Vulnerability Patch 1 documentation to determine if all appropriate patches have been applied. Additionally, review KB000111575: CA UIM Best Practices For Secure Environments and CA UIM Best Practices for Securing Environments to mitigate CVE-2018-13821 to ensure that all best practices have been implemented.
Solution
Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM 8.4.7 to resolve these vulnerabilities. Both solutions, UIM Vulnerability Patch 1, and UIM Best Practices for Secure Environments, must be implemented to effectively mitigate all three vulnerabilities.
- CA recommends installing UIM Vulnerability Patch 1 to resolve CVE-2018-13819 and CVE-2018-13820 as soon as possible. From the download link, select the directory that corresponds to your release to access the patch package.
- CA recommends securing the CA UIM deployment using the best practices described in KB000111575: CA UIM Best Practices For Secure Environments and CA UIM Best Practices for Securing Environments to mitigate CVE-2018-13821.
-OR-
If you feel the best practice recommendations are insufficient for your specific security needs, please contact CA Support to install and configure the CA UIM Secure Bus 8.01.
Note: While the secured version of the message bus has additional security features (e.g. encrypting all UIM traffic from robot to hub), the implementation requires additional prerequisites (such as requiring user-provided, signed X.509 certificates) and may have reduced functionality compared to the standard message bus.
Customers running any End of Service (EOS) release are strongly advised to upgrade to version
8.5.1 and take the remediation actions listed above to resolve the vulnerabilities immediately.
For the most up-to-date information about these CA Unified Infrastructure Management vulnerabilities, and for other important product information, please see the CA Unified Infrastructure Management Support page.
References
CVE-2018-13819 - CA UIM hardcoded secret key
CVE-2018-13820 - CA UIM hardcoded passphrase
CVE-2018-13821 - CA UIM lack of authentication
Acknowledgement
CVE-2018-13819 - Øystein Middelthun
CVE-2018-13820 - Øystein Middelthun
CVE-2018-13821 - Øystein Middelthun
Change History
Version 1.0: 2018-08-29 - Initial Release
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at http://support.ca.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.