CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication

Issued: May 23, 2019

Last Updated: November 19, 2019

The Support team for CA Technologies, A Broadcom Company, is alerting customers to multiple potential risks with CA Risk Authentication and CA Strong Authentication. Multiple vulnerabilities exist that can allow a remote attacker to gain additional access in certain configurations or possibly gain sensitive information. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately.

The first vulnerability, CVE-2019-7394, occurs due to insufficient verification of custom privileges. A malicious actor, who has access to an account with customized and limited privileges may, in some cases, access resources and act outside of assigned privileges. This exposure does not affect installations where accounts do not have custom privileges.

The second vulnerability, CVE-2019-7393, may enable a malicious actor to conduct UI redress attacks to gain sensitive information in some cases.

Risk Rating

Medium

Platform(s)

All supported platforms

Affected Products

CA Risk Authentication 9.0.02 and prior

CA Risk Authentication 8.2.02 and prior, 8.1.x, 8.0.x

CA Risk Authentication 3.1.01_CR01 and prior

CA Strong Authentication 9.0.02 and prior

CA Strong Authentication 8.2.02 and prior, 8.1.x, 8.0.x

CA Strong Authentication 7.1.01_CR01 and prior

How to determine if the installation is affected

Customers should review the solution section to determine whether the fixes are present in their installations.

Solution

CA Technologies published the following solutions to address the vulnerabilities. These fixes are available on the CA support site at https://casupport.broadcom.com/download-center/download-center.html.

To find the fixes, use the following instructions:

From the CA support homepage, https://casupport.broadcom.com, customers should expand the MENU drop down list, select DOWNLOAD MANAGEMENT, search for the product and select it from the drop down list (CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort), CA Strong Authentication, or CA Risk Authentication). After the results load for the product, select Solution Downloads, and select the appropriate product name. The fix will have a PUBLISHED SOLUTION name in the format of "CA-ADVANCEDAUTH-X.X_ADMIN_VULNERABILITIES", where X.X is the product version and a single corresponding fix number. Note that the fix number is different for some product platforms. All fix numbers may not be in the below list. Customers should contact support if further assistance is needed in determining the appropriate product fix.

Fix Table

References

CVE-2019-7394 - CA Risk Authentication and Strong Authentication Privilege Escalation

CVE-2019-7393 - CA Risk Authentication and Strong Authentication Privilege UI Redress

Acknowledgement

CVE-2019-7393, CVE-2019-7394 - Rohit Yadav

Change History

Version 1.0: Initial Release

Version 1.1: 2019-05-23 - Corrected CVE identifier, added direct fix links

Version 2: 2019-06-06 - Updated affected versions, fix guidance and clarified fix versions

Version 3: 2019-08-08 - Added fix table with additional fix guidance

Version 4: 2019-11-19 - Added additional fix guidance for 8.2.1, 8.2.2

CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.

Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/.

To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.