-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CA20180829-02: Security Notice for CA Unified Infrastructure Management Issued: August 29, 2018 Last Updated: August 29, 2018 CA Technologies Support is alerting customers to multiple potential risks with CA Unified Infrastructure Management. Multiple vulnerabilities exist that can allow an attacker, who has access to the network on which CA UIM is running, to run arbitrary CA UIM commands on machines where the CA UIM probes are running. An attacker can also gain access to other machines running CA UIM and access the filesystems of those machines. The first vulnerability, CVE-2018-13819, has a medium risk rating and concerns a hardcoded secret key, which can allow an attacker to access sensitive information. The second vulnerability, CVE-2018-13820, has a medium risk rating and concerns a hardcoded passphrase, which can allow an attacker to access sensitive information. The third vulnerability, CVE-2018-13821, has a high risk rating and concerns a lack of authentication, which can allow a remote attacker to conduct a variety of attacks, including file reading/writing. Risk Rating Cumulative risk rating of High. Platform(s) All supported platforms Affected Products CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 Unaffected Products CA Unified Infrastructure Management 8.5.1, 8.5, 8.4.7 with the solutions listed below applied. How to determine if the installation is affected Review the UIM Vulnerability Patch 1 documentation [1] to determine if all appropriate patches have been applied. Additionally, review KB000111575: CA UIM Best Practices For Secure Environments [2] and CA UIM Best Practices for Securing Environments to mitigate CVE-2018-13821 [3] to ensure that all best practices have been implemented. Solution Two solutions are available for CA UIM 8.5.1, CA UIM 8.5, and CA UIM 8.4.7 to resolve these vulnerabilities. Both solutions, UIM Vulnerability Patch 1, and UIM Best Practices for Secure Environments, must be implemented to effectively mitigate all three vulnerabilities. * CA recommends installing UIM Vulnerability Patch 1 [1] to resolve CVE-2018-13819 and CVE-2018-13820 as soon as possible. From the download link, select the directory that corresponds to your release to access the patch package. * CA recommends securing the CA UIM deployment using the best practices described in KB000111575: CA UIM Best Practices For Secure Environments [2] and CA UIM Best Practices for Securing Environments to mitigate CVE-2018-13821 [3]. - -OR- If you feel the best practice recommendations are insufficient for your specific security needs, please contact CA Support to install and configure the CA UIM Secure Bus 8.01. Note: While the secured version of the message bus has additional security features (e.g. encrypting all UIM traffic from robot to hub), the implementation requires additional prerequisites (such as requiring user-provided, signed X.509 certificates) and may have reduced functionality compared to the standard message bus. Customers running any End of Service (EOS) release are strongly advised to upgrade to version 8.5.1 and take the remediation actions listed above to resolve the vulnerabilities immediately. For the most up-to-date information about these CA Unified Infrastructure Management vulnerabilities, and for other important product information, please see the CA Unified Infrastructure Management Support page [4]. References CVE-2018-13819 - CA UIM hardcoded secret key CVE-2018-13820 - CA UIM hardcoded passphrase CVE-2018-13821 - CA UIM lack of authentication [1] ftp://UIMuser:CnIa24uJ@xxxxxxxxxx/Important Hotfixes/UIM Vulnerability Patch 1/ [2] https://comm.support.ca.com/kb/ca-uim-best-practices-for-secure-environment s/kb000111575 [3] https://support.ca.com/phpdocs/7/8384/8384-critical-alert-0716-2016.pdf [4] https://support.ca.com/us/product-information/ca-unified-infrastructure-man agement.html Acknowledgement CVE-2018-13819 - Oystein Middelthun CVE-2018-13820 - Oystein Middelthun CVE-2018-13821 - Oystein Middelthun Change History Version 1.0: 2018-08-29 - Initial Release Customers who require additional information about this notice may contact CA Technologies Support at https://support.ca.com/ To report a suspected vulnerability in a CA Technologies product, please send a summary to CA Technologies Product Vulnerability Response at vuln <AT> ca.com Security Notices and PGP key support.ca.com/irj/portal/anonymous/phpsbpldgpg www.ca.com/us/support/ca-support-online/documents.aspx?id=177782 Regards, Ken Williams Vulnerability Response Director, Product Vulnerability Response Team CA Technologies | 520 Madison Avenue, 22nd Floor, New York NY 10022 Copyright (c) 2018 CA. 520 Madison Avenue, 22nd Floor, New York, NY 10022. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsFVAwUBW4lr9LlJjor7ahBNAQiHAQ/+Oa5yOCsJ6MQukur5th1zeMOyvfWE3SWX UDY44DTe7nN3QwzyYJgBBoegxuR0UuvH1Pkd/9t26KKA7z1HD9jbRI/1TLSyRUjX TLoMHDmmPybDPA1R3s4F92ix0B8kk0pszpLvtTcTPb8jyfuML9KlqLeKQkB4p7Dq VuhJkm3hpWzT6ZGDqWxxWEWP5GxZbAbtFa9lyp6fm+HUOVlwo7bqqcLQ1/l4gXJD AdVF7+/6zwW31X4llCuZbhuzqLOHb4JUbAYQG3AB3+QKHBbLs+FFVpELbnPho9gA +8ZMtUEkLY0NNYedOZ+24SpMMF1uW9ferLwTHU7vTqDbjJ8Njyzzn3zJzGqUTgnN 9PW1eqwTtEQd2S0w7QFn3Uo+h8AKDjKfM+jSyYIOJ3seazvf7hWsIJgfMtkn69yP N7leBnQcaIB/Gljd1k5JBGgYP+JkZBfsJToW30w87BM76GoHpqZ6Xirby03WoWEI OGqlSCc601kQdtmnK3vMcfSIz23BDO+zDZssWMRzcmQ1abZ1BYy2/iPqVaj+60zm sRr+t3l5n4rHVZ3PXzUQ4YcG1+lW2JEamTUycqvv7ZohRQWtCGtrhY1+8/jAYb8W DQZiCIilEYpynjRbCVndTB9MU7Kzy/1aDBgceOiaGQ4ajbXnTXkHb2DnCrA524WC TdSsroSnvLQ= =5XBW -----END PGP SIGNATURE-----