CVE-2018-15691
published 2018-08-30CVE-2018-15691: Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.76%
96.6th percentile
Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | release_automation | >= 6.3 < 6.3.0.9945 | 6.3.0.9945 |
| broadcom | release_automation | >= 6.4 < 6.4.0.10119 | 6.4.0.10119 |
| broadcom | release_automation | >= 6.5 < 6.5.0.10080 | 6.5.0.10080 |
| ca_technologies | release_automation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x0c\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x72\x02\x08\x00
bytes↗
\x00\x00\x00\x1a\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x7a\x10\x0a\x0c\x0a\x07\x30\x2e\x30\x2e\x30\x2e\x30\x10\x94\x3c\x10\x00
bytes↗
\x0a\x04\x6e\x6f\x64\x65\x10\x01\x1a
- →The NiMi service listens on TCP port 6600 by default. Monitor for unexpected inbound TCP connections to this port, especially from external or untrusted hosts. ↗
- →Exploit sends a specific 16-byte handshake (first required message) immediately after connecting to port 6600. Detect this exact byte sequence at the start of a TCP stream on port 6600. ↗
- →Exploit sends a second 27-byte probe message to check if security is disabled before delivering the deserialization payload. Presence of this byte sequence on port 6600 is a strong indicator of active exploitation. ↗
- →Deserialization payloads are generated using CommonsCollections1 gadget chain from ysoserial. Detect Java deserialization magic bytes (0xACED0005) within the payload body sent to port 6600. ↗
- →The exploit only succeeds when the NiMi service has security turned off. If the server returns an empty response to the second probe, security is enabled and exploitation is blocked. Audit NiMi security configuration. ↗
- →The serialized payload is padded with 0x90 bytes to a fixed size of 5729 bytes. A TCP payload of exactly this size on port 6600 containing NOP-sled padding is a strong exploitation indicator. ↗
- ·Exploitation only succeeds when the NiMi service has security disabled. If security is enabled, the server returns an empty response to the second probe and the exploit aborts. ↗
- ·The serialized payload must not exceed 5729 bytes; larger payloads are rejected by the exploit logic. This constrains which ysoserial gadget chains are usable. ↗
- ·Affected versions span CA Release Automation (NiMi) 5.X, 6.3, 6.4, and 6.5, not only 6.5 as stated in the NVD entry. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/105197http://www.securitytracker.com/id/1041591https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-03--security-notice-for-ca-release-automation.htmlhttps://www.exploit-db.com/exploits/45425/http://www.securityfocus.com/bid/105197http://www.securitytracker.com/id/1041591https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-03--security-notice-for-ca-release-automation.htmlhttps://www.exploit-db.com/exploits/45425/
2018-08-30
Published