The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: CA Common Services Distributed Intelligence Architecture (DIA) Code Execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CA20190904-01: Security Notice for CA Common Services Distributed
Intelligence Architecture (DIA)
Issued: September 4th, 2019
Last Updated: September 4th, 2019
CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Common Services in the Distributed
Intelligence Architecture (DIA) component. A vulnerability exists,
CVE-2019-13656, that can allow a remote attacker to execute arbitrary
code. CA published solutions to address the vulnerabilities and
recommends that all affected customers implement these solutions
immediately.
Risk Rating
High
Platform(s)
All supported platforms
Affected Products
CA Common Components DIA
CA Technologies products that bundle this software include:
CA Client Automation 14 and later versions
CA Workload Automation AE 11.3.5 and 11.3.6
How to determine if the installation is affected
Customers should review the Solution section to determine whether the
fix is present.
CA Workload Automation Autosys:
The Distributed Intelligence Architecture (DIA) that installs with
the 11.3.5 and 11.3.6 C3 DVD is vulnerable.
Solution
CA published the following solutions to address the vulnerabilities.
Fixes are available on the CA support site.
CA Client Automation:
Windows
Solution: SO09605
Linux
Solution: SO09633
CA Workload Automation Autosys:
The following are the fixes published by the Workload Automation
Autosys Product team for the vulnerability CVE-2019-13656 reported
against Distributed Intelligence Architecture (DIA) shipped with C3
DVD.
Windows
Solution: SO09111
Linux
Solution: SO09057
HP-UX
Solution: SO09086
Solaris
Solution: SO09084
AIX
Solution: SO09085
Patch Validation
The script applypatch.bat for Windows and applypatch.sh for Linux and
Unix platforms when run should not produce any errors in its console
output. The script starts the NSM services at the end of the patch
application process. A successful patch application is manifested in
the form of all services coming up successfully.
References
CVE-2019-13656 - Ca Common Services remote code execution
Acknowledgement
CVE-2019-13656 - Fredrik Ravne, Oslo Boers
Change History
Version 1.0: Initial Release
CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications on the support site.
Customers who require additional information about this notice may
contact CA Technologies Support at https://casupport.broadcom.com/
To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at ca.psirt <AT> broadcom.com
Security Notices, PGP key, and disclosure policy and guidance
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782
Kevin Kotas
CA Product Security Incident Response Team
Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.
-----BEGIN PGP SIGNATURE-----
Charset: utf-8
wsBVAwUBXXK0LLZ6yOO9o8STAQgQBgf/UeZFiw6Ha+eEfAvDIx92DE+gglGuZB20
tc1POyvgJABJGBdyqE1aV+eYoTNhEIagD54Fkl0ZMJnwR2ZrTAdOPV/pOJa/F+z9
ajAv5Oikj2I5SH4MI0Az48ApyyD6y+zQjmu8wc5LH4LfuoujAGOIqF0s6OFMB+hl
B8VDvqJuNvNalEdVFhNxUHfFjxhQaN0H1G9b98Mv9bnZJ/O60+9Kczff9O6m9y7U
Dfaf0pUIqnsYxUVDk2LQ/ydoLji7QtttNXBQHS9zWIjlEkj90ZMleXozYiR6IiaV
NRUpynhlzmJYf9oG0hdLD7WFXStFREf7atL7QDZuL4ar/Zz7+5xEng==
=1Xi9
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum