-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20180614-01: Security Notice for CA Privileged Access Manager Issued: June 14th, 2018 Last Updated: June 14th, 2018 CA Technologies Support is alerting customers to multiple potential risks with CA Privileged Access Manager. Multiple vulnerabilities exist that can allow a remote attacker to conduct a variety of attacks. These risks include seven vulnerabilities privately reported within the past year to CA Technologies by security researchers, and nine vulnerabilities for Xceedium Xsuite that were publicly disclosed in July 2015. CA Technologies acquired Xceedium in August 2015, and Xceedium products were renamed and became part of Privileged Access Management solutions from CA Technologies. The first vulnerability, CVE-2018-9021, has a high risk rating and concerns the ajax_cmd.php file, which can allow a remote attacker to execute arbitrary commands. The second vulnerability, CVE-2018-9022, has a high risk rating and concerns configuration file poisoning, which can allow a remote attacker to execute arbitrary code. The third vulnerability, CVE-2018-9023, has a medium risk rating and concerns the update_crld script, which can allow an unprivileged user to gain root privileges. The fourth vulnerability, CVE-2018-9024, has a low risk rating and concerns IP spoofing in logs, which can allow a remote attacker to masquerade as another machine. The fifth vulnerability, CVE-2018-9025, has a low risk rating and concerns insufficient input validation on the login page, which can allow a remote attacker to poison a log file. The sixth vulnerability, CVE-2018-9026, has a medium risk rating and concerns insecure handling of user sessions in multiple scripts, which can allow a remote attacker to conduct session fixation attacks. The seventh vulnerability, CVE-2018-9027, has a medium risk rating and concerns insufficient input validation in multiple scripts, which can allow a remote attacker to conduct reflected XSS attacks. The eighth vulnerability, CVE-2015-4664, has a high risk rating and concerns insufficient input validation in the login.php script, which can allow a remote attacker to execute arbitrary commands. The ninth vulnerability, CVE-2015-4665, has a medium risk rating and concerns insufficient input validation in the ajax_cmd.php script, which can allow a remote attacker to conduct reflected XSS attacks. The tenth vulnerability, CVE-2015-4666, has a high risk rating and concerns insufficient input validation in the read_sessionlog.php script, which can allow an unauthenticated remote attacker to conduct directory traversal attacks and download sensitive information. The eleventh vulnerability, also CVE-2015-4664, has a high risk rating and concerns insufficient input validation by the spadmind script, which can allow a local attacker to execute privileged commands. The twelfth vulnerability, CVE-2015-4667, has a low risk rating and concerns the use of hard-coded credentials in multiple scripts, which can allow an attacker to potentially conduct a variety of attacks. The thirteenth vulnerability, CVE-2015-4669, has a high risk rating and concerns insecure database credentials, which can allow a local user to conduct a variety of attacks. The fourteenth vulnerability, CVE-2015-4668, has a low risk rating and concerns the openwin.php script, which can allow a remote attacker to conduct open redirect attacks. The fifteenth vulnerability, CVE-2018-9028, has a low risk rating and concerns unsalted passwords, which can allow an attacker to more easily crack passwords. The sixteenth vulnerability, CVE-2018-9029, has a medium risk rating and concerns insufficient input validation in multiple scripts, which can allow an attacker to conduct SQL injection attacks. Risk Rating CVE-2018-9021 - High CVE-2018-9022 - High CVE-2018-9023 - Medium CVE-2018-9024 - Low CVE-2018-9025 - Low CVE-2018-9026 - Medium CVE-2018-9027 - Medium CVE-2015-4664 - High CVE-2015-4665 - Medium CVE-2015-4666 - High CVE-2015-4667 - Low CVE-2015-4669 - High CVE-2015-4668 - Low CVE-2018-9028 - Low CVE-2018-9029 - Medium Platform(s) All supported platforms Affected Products CA Privileged Access Manager 2.x Unaffected Products CA Privileged Access Manager 3.0.0 or later How to determine if the installation is affected Customers may use the CA Privileged Access Manager interface to find the release and then use the table in the Affected Products section to determine if the installation is vulnerable. Solution CA Technologies published the following solution to address the vulnerabilities. CA Privileged Access Manager: Update to CA Privileged Access Manager 3.0.0 or later to address all vulnerabilities in this security notice. References CVE-2018-9021 - PAM ajax_cmd.php RCE CVE-2018-9022 - PAM configuration file poisoning RCE CVE-2018-9023 - PAM update_crld privilege escalation CVE-2018-9024 - PAM IP spoofing in logs CVE-2018-9025 - PAM log poisoning CVE-2018-9026 - PAM session fixation CVE-2018-9027 - PAM reflected XSS CVE-2015-4664 - PAM login.php RCE CVE-2015-4665 - PAM ajax_cmd.php reflected XSS CVE-2015-4666 - PAM read_sessionlog.php directory traversal CVE-2015-4664 - PAM spadmind command execution CVE-2015-4667 - PAM hard-coded credentials CVE-2015-4669 - PAM insecure database credentials CVE-2015-4668 - PAM openwin.php open redirect CVE-2018-9028 - PAM unsalted passwords CVE-2018-9029 - PAM SQL injection www.ca.com/us/company/acquisitions/xceedium-is-now-ca-technologies.html Acknowledgement CVE-2018-9021 - Peter Lapp CVE-2018-9022 - Dan Cocking CVE-2018-9023 - Peter Lapp CVE-2018-9024 - Peter Lapp CVE-2018-9025 - Peter Lapp CVE-2018-9026 - Peter Lapp CVE-2018-9027 - Peter Lapp Change History Version 1.0: 2018-06-14 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Ken Williams Vulnerability Response Director, Product Vulnerability Response Team CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022 Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBWyMPFrlJjor7ahBNAQiAJQ//TZF1JZGfX2LqrqT9YsZade20xl9rAyZA iaCLHQzOCf/xjIeu80phrhNC9jvvQjv6/ftKQrVJljaG6e8m7FrPbu/gYlFrSZrT mUyZ27GvEQgwdFVNw5z841dowbz3hDnyYPpURGeyUXwDWZi8qLVd1/t4U5YiHEGw FcClAez4inJk35cFtYIUyGhBNMYIHtH+fUQGWqyPv7NQ+zzmx04utJXfN0PgAZKF QlcSYsMhSvn2e6wDd9LSpFVN9LEBPtHZ/gn/J9mx8zAF2dREwzXpikUbXixGFPSG w4d+OOiImb6NCnNHuU+KITzp/jJLsRmqpsyy3PYAuRzXSwvxTseJpk1HH6/l/wWg EUi7glKUuHdNmfhCNPeTfLjWne+FNiibeOibSx+y6iuZScCGDJWHD4rGcSFXvlBT m2D4mjmeUrbN/4v51LThGjkBrOCOnuI3OD5sZIghOdZslIychpPk15aU8761o1vZ MlBTSyxGOOvt7hn30N9883Sx3aK+kec3YvHttnVl3gEYWHOBbrXHRVNXMREbsr8H GBfsyHcYpGav8vcK8udrSRuFOHFPX7XjnMExc0huaCLGGKaXDn1nNvoWoo1Z2BIP 2+h63prz1yn4+JV5xdA4qCvMK3o83vemR5ZZ10JitUn5qlcQT2oRJ31voxl9xmZq Jg1bsOMzZy4= =+WwQ -----END PGP SIGNATURE-----