what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA Risk / Strong Authentication Privilege Escalation

CA Risk / Strong Authentication Privilege Escalation
Posted May 24, 2019
Authored by Kevin Kotas, Rohit Yadav | Site www3.ca.com

The Support team for CA Technologies, A Broadcom Company, is alerting customers to multiple potential risks with CA Risk Authentication and CA Strong Authentication. Multiple vulnerabilities exist that can allow a remote attacker to gain additional access in certain configurations or possibly gain sensitive information. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately. The first vulnerability occurs due to insufficient verification of custom privileges. A malicious actor, who has access to an account with customized and limited privileges may, in some cases, access resources and act outside of assigned privileges. This exposure does not affect installations where accounts do not have custom privileges. The second vulnerability may enable a malicious actor to conduct UI redress attacks to gain sensitive information in some cases. Affected includes CA Risk Authentication versions 9.0, 8.x, and 3.1 as well as CA Strong Authentication versions 9.0, 8.x, and 7.1.

tags | advisory, remote, vulnerability
advisories | CVE-2019-7393, CVE-2019-7394
SHA-256 | ef42b4a17a8b60fc53d7e5c399e58653c06578f01ab6db7ea9f0569b72b8882d

CA Risk / Strong Authentication Privilege Escalation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CA20190523-01: Security Notice for CA Risk Authentication and CA
Strong Authentication

Issued: May 23, 2019
Last Updated: May 23, 2019

The Support team for CA Technologies, A Broadcom Company, is alerting
customers to multiple potential risks with CA Risk Authentication and
CA Strong Authentication. Multiple vulnerabilities exist that can
allow a remote attacker to gain additional access in certain
configurations or possibly gain sensitive information. CA published
solutions to address the vulnerabilities and recommends that all
affected customers implement these solutions immediately.

The first vulnerability, CVE-2019-7394, occurs due to insufficient
verification of custom privileges. A malicious actor, who has access
to an account with customized and limited privileges may, in some
cases, access resources and act outside of assigned privileges. This
exposure does not affect installations where accounts do not have
custom privileges.

The second vulnerability, CVE-2019-7393, may enable a malicious actor
to conduct UI redress attacks to gain sensitive information in some
cases.

Risk Rating

Medium

Platform(s)

All supported platforms

Affected Products

CA Risk Authentication 9.0
CA Risk Authentication 8.x
CA Risk Authentication 3.1

CA Strong Authentication 9.0
CA Strong Authentication 8.x
CA Strong Authentication 7.1

How to determine if the installation is affected

Customers should review the solution section to determine whether the
fixes are present in their installations.

Solution

CA Technologies published the following solutions to address the
vulnerabilities. These fixes are available on the CA support site
https://support.ca.com.

CA Risk Authentication 9.0,
CA Strong Authentication 9.0:
SS08146

CA Risk Authentication 8.x,
CA Strong Authentication 8.x:
SS08143

CA Risk Authentication 3.1:
SS08144

CA Strong Authentication 7.1:
SS08145

References

CVE-2019-7394 - CA Risk Authentication and Strong Authentication
Privilege Escalation
CVE-2019-7393 - CA Risk Authentication and Strong Authentication
Privilege UI Redress

Acknowledgement

CVE-2019-7393, CVE-2019-7394 - Rohit Yadav

Change History

Version 1.0: Initial Release


CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications.

Customers who require additional information about this notice may
contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln <AT> ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsFVAwUBXOgVA7lJjor7ahBNAQjzzRAAmnPSf9iPsy8cvrjULnPZdE5hbaHH4IxT
rehdZd/J1Ki/I74L0uDwmyUCR4Tmh32mOqQwYFSiblXko/rxHWTFQRdBQhO0G9ug
2qsaRyWPR/J5qDN5vcV//jExuSDUKAV/TsLc5gUPaIdc5Gp5v7de6m4NzgIDef1N
/yrk5FwCYabtVPCj43ChTD8vGcKMBgLM6iZWX5QzYkhMRykXueyNFpzUwnXhCgvN
c5egwJYX7DDv1SYJutaVCznvxjJLmmua8Amgamwx98qhvMKKC5jQGnBro3cj/169
4LSPaRykZ/etL53eIA7r+8TH/7T5+833CUwhP1tA5GZ+VFYnmbDEBiiwJdcwZada
iiMjSvOVxXZdf7S0QuYfuf/oXvqeUjht+tRhd4QaHzAjEuJOeHvTuvSwbJw2E8Nw
e1bl9ft//q17PxUCGsKAXlqeVJ1oDTRraGNrlEYA2fGZdEMJZ8wciChLN9XhAhTf
+cgT8mKr1BySKGwsra1Bpk1m5NoF5T4OUFNAj5Pl0JTM7tGZJxJmQyicqNsFWfy0
hVGjFN7YhlIX+FHllzLR0cJ8YyDH1aCbWvexAXwuTqRlrUdkRMp1xaco54ihKAMk
YSS5nhK1qlHgdTMKVK8eSZPMoh6SYZd0V/sKdwBz2XgbQD6RIA/k99XCKKeU0FRC
ABQ0hunqubE=
=Pr3L
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close