CA Service Management

Expand all | Collapse all

CA20190117-01: Security Notice for CA Service Desk Manager

vchinni

vchinniJan 18, 2019 04:11 PM

  • 1.  CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 17, 2019 08:51 PM

    Does anyone have any more information on the 2nd vulnerability?

     

    The second vulnerability, CVE-2018-19635, allows for a malicious actor to gain additional privileges

     

    Can't find out much about it....



  • 2.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 18, 2019 02:44 PM

    I also would like to know.  We need to understand how critical these vulnerabilities are.



  • 3.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 18, 2019 03:39 PM

    Can't see to find any detailed info on how critical is this specific vulnerability (CVE-2018-19635), can CA provide any?



  • 4.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 18, 2019 04:08 PM

    Hey folks,

     

    I will provide the details on this shortly

     

    _R



  • 5.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 18, 2019 04:11 PM

    Thanks Raghu!



  • 6.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 18, 2019 06:01 PM

    So basically the CVE database owners normally get those updates done, Looks like they are a bit behind.....  

     

     

    Here are the two key items

     

    DE37371, DE37394

    Vulnerability - Survey and privilege escalation.

    Vulnerability - Vertical privilege escalation via a survey.

     

    A survey URL is similar to: http://hostname/CAisd/pdmweb.exe?OP=DO_SURVEY+SVY_ID=400003+CNT_ID=F49134B8CAC9A5478C9CC421096CDDDD+CNTXT_PERSID=cr:401210.

    1. Problem #1 - The url doesn't require authentication, like other urls in CA SDM.
    2. Problem# 2 - After tweaking the url, a malicious user can become an CA SDM administrator.

     

    The solutions that CA provided resolve both the items.

     

    _R



  • 7.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 19, 2019 01:28 PM

    Edited my previous reply to make it easier for access here

     

    _R



  • 8.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 19, 2019 03:37 PM

    How can I get my own message templates to work again after upgrading to 17.1.02?

    what is the variable that I need to use. I found that the URL should be extended by +MSG_DIGEST=



  • 9.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 21, 2019 08:33 AM

    Hey Martin,

     

    Let me check into this and revert back to you

     

    thx

    _R



  • 10.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 22, 2019 09:33 AM

    Hey Martin,

     

    Engineering provided a bit more clarification on this. 

     

    Behind the scenes, we are using an encryption mechanism similar to our password encryptions, to create this checksum. This is then validated against.

     

    At this time there's no easy way to generate this checksum automatically for custom usage.

     

    _R



  • 11.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 22, 2019 12:03 PM

    Raghu,

     

    So both vulnerabilities are with ref to Survey problem for CA Service Desk Manager?

     

    Our implementation of CA Service Desk, Catalog, PAM, EEM and Xtraction is for internal purposes only and still on 14.1.01. Do you see any major risks if we do NOT update to 14.1.05.1 (prereq is for upgrading to 14.1.01)?



  • 12.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 22, 2019 12:27 PM

    Vishnu, a vulnerability is a vulnerability and it does not matter if the app is intended for internal purpose only. For example, what if an internal user use the survey link to get into SDM administration and modify data he/she otherwise does not have permission to? So yes I think there is some risk even for internal purpose only. Thanks _Chi



  • 13.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 22, 2019 02:32 PM

    Chi, it sounds like this vulnerability creates a backdoor for an internal user use the survey link to get to SDM administration. So are you saying that though user is NOT setup to have Administrator access type but still can get to edit access to SDM administration, functional access and meta data just using Survey link?

     

    Also, looking at the link provided by Raghu, the SDM versions listed are more specific to 14.1.02 or above versions.



  • 14.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 22, 2019 03:06 PM

    Hi Vishnu,

     

    Unfortunately that is the case, there was a security issue with the survey link which led to possible abuse there.

     

    Regarding 14.x version, Versions prior to 14.1.05.1 are vulnerable.  

     

    That means, this includes 14.1.01 too.

     

    _R



  • 15.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 22, 2019 03:19 PM

    Is the issue only present if you use Surveys?



  • 16.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 22, 2019 05:25 PM

    Correct, the issue is exposed only via SDM Survey URLs,  no other URLs

     

    _R



  • 17.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Posted Jan 23, 2019 09:14 AM

    Raghu, Just for clarification, there is only 2 vulnerabilities and both are with ref to SDM Survey links, otherwise there is no other know security risks with SDM 14.1.0x, correct?



  • 18.  Re: CA20190117-01: Security Notice for CA Service Desk Manager

    Broadcom Employee
    Posted Jan 23, 2019 09:42 AM

    Hi Vishnu,

     

    In this context, yes, the only 2 risks are with the survey URLs.

     

    _R