Back to list
CA20180614-01: Security Notice for CA Privileged Access Manager
Jun 15 2018 01:06AM
Williams, Ken (Ken Williams ca com)
-----BEGIN PGP SIGNED MESSAGE-----
CA20180614-01: Security Notice for CA Privileged Access Manager
Issued: June 14th, 2018
Last Updated: June 14th, 2018
CA Technologies Support is alerting customers to multiple potential
risks with CA Privileged Access Manager. Multiple vulnerabilities
exist that can allow a remote attacker to conduct a variety of attacks.
These risks include seven vulnerabilities privately reported within
the past year to CA Technologies by security researchers, and nine
vulnerabilities for Xceedium Xsuite that were publicly disclosed in
July 2015. CA Technologies acquired Xceedium in August 2015, and
Xceedium products were renamed and became part of Privileged Access
Management solutions from CA Technologies.
The first vulnerability, CVE-2018-9021, has a high risk rating and
concerns the ajax_cmd.php file, which can allow a remote attacker to
execute arbitrary commands.
The second vulnerability, CVE-2018-9022, has a high risk rating and
concerns configuration file poisoning, which can allow a remote
attacker to execute arbitrary code.
The third vulnerability, CVE-2018-9023, has a medium risk rating and
concerns the update_crld script, which can allow an unprivileged user
to gain root privileges.
The fourth vulnerability, CVE-2018-9024, has a low risk rating and
concerns IP spoofing in logs, which can allow a remote attacker to
masquerade as another machine.
The fifth vulnerability, CVE-2018-9025, has a low risk rating and
concerns insufficient input validation on the login page, which can
allow a remote attacker to poison a log file.
The sixth vulnerability, CVE-2018-9026, has a medium risk rating and
concerns insecure handling of user sessions in multiple scripts, which
can allow a remote attacker to conduct session fixation attacks.
The seventh vulnerability, CVE-2018-9027, has a medium risk rating and
concerns insufficient input validation in multiple scripts, which can
allow a remote attacker to conduct reflected XSS attacks.
The eighth vulnerability, CVE-2015-4664, has a high risk rating and
concerns insufficient input validation in the login.php script, which
can allow a remote attacker to execute arbitrary commands.
The ninth vulnerability, CVE-2015-4665, has a medium risk rating and
concerns insufficient input validation in the ajax_cmd.php script,
which can allow a remote attacker to conduct reflected XSS attacks.
The tenth vulnerability, CVE-2015-4666, has a high risk rating and
concerns insufficient input validation in the read_sessionlog.php
script, which can allow an unauthenticated remote attacker to conduct
directory traversal attacks and download sensitive information.
The eleventh vulnerability, also CVE-2015-4664, has a high risk rating
and concerns insufficient input validation by the spadmind script,
which can allow a local attacker to execute privileged commands.
The twelfth vulnerability, CVE-2015-4667, has a low risk rating and
concerns the use of hard-coded credentials in multiple scripts, which
can allow an attacker to potentially conduct a variety of attacks.
The thirteenth vulnerability, CVE-2015-4669, has a high risk rating
and concerns insecure database credentials, which can allow a local
user to conduct a variety of attacks.
The fourteenth vulnerability, CVE-2015-4668, has a low risk rating and
concerns the openwin.php script, which can allow a remote attacker to
conduct open redirect attacks.
The fifteenth vulnerability, CVE-2018-9028, has a low risk rating and
concerns unsalted passwords, which can allow an attacker to more
easily crack passwords.
The sixteenth vulnerability, CVE-2018-9029, has a medium risk rating
and concerns insufficient input validation in multiple scripts, which
can allow an attacker to conduct SQL injection attacks.
CVE-2018-9021 - High
CVE-2018-9022 - High
CVE-2018-9023 - Medium
CVE-2018-9024 - Low
CVE-2018-9025 - Low
CVE-2018-9026 - Medium
CVE-2018-9027 - Medium
CVE-2015-4664 - High
CVE-2015-4665 - Medium
CVE-2015-4666 - High
CVE-2015-4667 - Low
CVE-2015-4669 - High
CVE-2015-4668 - Low
CVE-2018-9028 - Low
CVE-2018-9029 - Medium
All supported platforms
CA Privileged Access Manager 2.x
CA Privileged Access Manager 3.0.0 or later
How to determine if the installation is affected
Customers may use the CA Privileged Access Manager interface to find
the release and then use the table in the Affected Products section to
determine if the installation is vulnerable.
CA Technologies published the following solution to address the
CA Privileged Access Manager:
Update to CA Privileged Access Manager 3.0.0 or later to address all
vulnerabilities in this security notice.
CVE-2018-9021 - PAM ajax_cmd.php RCE
CVE-2018-9022 - PAM configuration file poisoning RCE
CVE-2018-9023 - PAM update_crld privilege escalation
CVE-2018-9024 - PAM IP spoofing in logs
CVE-2018-9025 - PAM log poisoning
CVE-2018-9026 - PAM session fixation
CVE-2018-9027 - PAM reflected XSS
CVE-2015-4664 - PAM login.php RCE
CVE-2015-4665 - PAM ajax_cmd.php reflected XSS
CVE-2015-4666 - PAM read_sessionlog.php directory traversal
CVE-2015-4664 - PAM spadmind command execution
CVE-2015-4667 - PAM hard-coded credentials
CVE-2015-4669 - PAM insecure database credentials
CVE-2015-4668 - PAM openwin.php open redirect
CVE-2018-9028 - PAM unsalted passwords
CVE-2018-9029 - PAM SQL injection
CVE-2018-9021 - Peter Lapp
CVE-2018-9022 - Dan Cocking
CVE-2018-9023 - Peter Lapp
CVE-2018-9024 - Peter Lapp
CVE-2018-9025 - Peter Lapp
CVE-2018-9026 - Peter Lapp
CVE-2018-9027 - Peter Lapp
Version 1.0: 2018-06-14 - Initial Release
Customers who require additional information about this notice may
contact CA Technologies Support at https://support.ca.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com
Security Notices and PGP key
Vulnerability Response Director, Product Vulnerability Response Team
CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022
Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY
10022. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus