SB2018061508 - Multiple vulnerabilities in CA Privileged Access Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018061508

SB2018061508 - Multiple vulnerabilities in CA Privileged Access Manager

Published: June 15, 2018

Security Bulletin ID SB2018061508
Severity
High
Patch available
YES
Number of vulnerabilities 15
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 7% Low 93%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 15 secuirty vulnerabilities.


1) Command injection (CVE-ID: CVE-2018-9021)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists in the ajax_cmd.php file due to insufficient validation of user-supplied input. A remote attacker can inject and execute arbitrary commands with elevated privileges.


2) Remote code execution (CVE-ID: CVE-2018-9022)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in configuration file poisoning. A remote attacker can execute arbitrary code with elevated privileges.

3) Privilege escalation (CVE-ID: CVE-2018-9023)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to an error in the update_crld script. A remote attacker can gain root privileges and perform arbitrary actions.

4) Spoofing attack (CVE-ID: CVE-2018-9024)

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to an error in the update_crld script. A remote attacker can conduct spoofing attack and masquerade as another machine.

5) Privilege escalation (CVE-ID: CVE-2018-9025)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to insufficient input validation on the login page. A remote attacker can supply specially crafted input, bypass security restrictions and gain root privileges and poison a log file.

6) Session fixation attack (CVE-ID: CVE-2018-9026)

The vulnerability allows a remote attacker to conduct session fixation attacks on the target system.

The weakness exists due to insecure handling of user sessions in multiple scripts. A remote attacker can conduct session fixation attacks.

7) Reflected cross-site scripting (CVE-ID: CVE-2018-9027)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in multiple scripts. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


8) Command injection (CVE-ID: CVE-2015-4664)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to insufficient input validation in the login.php script. A remote attacker can inject and execute arbitrary commands with elevated privileges.

9) Reflected cross-site scripting (CVE-ID: CVE-2015-4665)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the ajax_cmd.php script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


10) Path traversal (CVE-ID: CVE-2015-4666)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to path traversal in the read_sessionlog.php script. A remote attacker can conduct directory traversal attacks and download sensitive information.

11) Use of hard-coded credentials (CVE-ID: CVE-2015-4667)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to use of hard-coded credentials in multiple scripts. A remote attacker can gain elevated privileges and conduct a variety of attacks.

12) Insecure database credentials (CVE-ID: CVE-2015-4669)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to insecure database credentials. A local attacker can gain elevated privileges and conduct a variety of attacks.

13) Open redirect (CVE-ID: CVE-2015-4668)

The vulnerability allows a remote unauthenticated attacker to redirect the target user to external websites.

The weakness exists due to open redirect in openwin.php script. A remote attacker can use a specially crafted image link, trick the victim into opening it and redirect users to malicious website.

14) Information disclosure (CVE-ID: CVE-2018-9028)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to use unsalted passwords. A remote attacker can easily crack passwords.


15) SQL-injection (CVE-ID: CVE-2018-9029)

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient validation on user-supplied input in multiple scripts. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.


Remediation

Install update from vendor's website.

References