CVE-2018-9021
published 2018-06-18CVE-2018-9021: An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.38%
97.0th percentile
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | privileged_access_manager | <= 2.8.2 | — |
| ca_technologies | ca_privileged_access_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://<ip>/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|<cmd>+2>%261||&deviceMode=test↗
- →Detect unauthenticated GET requests to /ajax_cmd.php with the parameter cmd=AD_IMPORT and a pipe character (|) in the importID parameter, indicating OS command injection via the authentication bypass. ↗
- →Alert on requests to /ajax_cmd.php where the importID query parameter contains shell metacharacters such as | (pipe), > (redirect), or URL-encoded equivalents (%7C, %3E, %261), which are used to inject and redirect command output. ↗
- →Detect creation or access of /tmp/output on the CA PAM host, used by the exploit to stage and retrieve command output. ↗
- →Alert on unauthenticated requests to /ajax_cmd.php — the exploit sends requests with no authentication headers, exploiting the authentication bypass to reach the AD_IMPORT command handler. ↗
- ·The exploit targets CA Privileged Access Manager version 2.8.2 and earlier; versions beyond 2.8.2 may not be vulnerable, but the /ajax_cmd.php endpoint should be reviewed in all deployments. ↗
- ·The exploit abuses the mysql root account (mysql -u root uag) to manipulate the configuration_f table, suggesting the CA PAM appliance runs MySQL as root with no password — this is an additional hardening concern independent of the CVE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4p35-q5ww-g8qx: An authentication bypass vulnerability in CA Privileged Access Manager 2
ghsa_unreviewed·2022-05-13
CVE-2018-9021 [CRITICAL] CWE-269 GHSA-4p35-q5ww-g8qx: An authentication bypass vulnerability in CA Privileged Access Manager 2
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.
Red Hat
php: Heap-based buffer over-read in PHAR reading functions
vendor_redhat·2018-12-06·CVSS 7.5
CVE-2019-9021 [HIGH] CWE-122 php: Heap-based buffer over-read in PHAR reading functions
php: Heap-based buffer over-read in PHAR reading functions
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.
Package: php (Red Hat Enterprise Linux 5) - Out of support scope
Package: php (Red Hat Enterprise Linux 6) - Out of support scope
Package: php (Red Hat Enterprise Linux 7) - Fix deferred
Package: rh-php70-php (Red Hat Software Collections) - Fix deferred
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155576/Broadcom-CA-Privileged-Access-Manager-2.8.2-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/104496https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.htmlhttp://packetstormsecurity.com/files/155576/Broadcom-CA-Privileged-Access-Manager-2.8.2-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/104496https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
2018-06-18
Published