CVE-2018-9022
published 2018-06-18CVE-2018-9022: An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary code or commands by…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.39%
97.2th percentile
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary code or commands by poisoning a configuration file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | privileged_access_manager | <= 2.8.2 | — |
| ca_technologies | ca_privileged_access_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://<ip>/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|<cmd>+2>%261||&deviceMode=test↗
- →Monitor HTTP/S requests to /ajax_cmd.php with the parameter cmd=AD_IMPORT and an importID value containing shell metacharacters (pipe '|', redirection '>', '&') — this is the injection point for CVE-2018-9022 RCE. ↗
- →Detect base64-encoded payloads piped to 'base64 -d | mysql -u root uag' on the CA PAM host — this pattern is used to smuggle SQL injection payloads past simple string filters. ↗
- →Flag creation or access of /tmp/output on the CA PAM appliance — the exploit writes command output there and retrieves it via a subsequent ajax_cmd.php request. ↗
- ·The exploit targets CA Privileged Access Manager version 2.8.2 and earlier only; the vulnerability is an authentication bypass combined with configuration file poisoning, meaning no credentials are required to reach the injection endpoint. ↗
- ·The exploit chains CVE-2018-9021 (authentication bypass on ajax_cmd.php) with CVE-2018-9022 (configuration poisoning for RCE) — both CVEs must be considered together for full impact assessment. ↗
- ·The mysql process runs as root ('mysql -u root uag'), meaning any command injected via the poisoned configuration executes with root privileges on the appliance. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155576/Broadcom-CA-Privileged-Access-Manager-2.8.2-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/104496https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.htmlhttp://packetstormsecurity.com/files/155576/Broadcom-CA-Privileged-Access-Manager-2.8.2-Remote-Command-Execution.htmlhttp://www.securityfocus.com/bid/104496https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
2018-06-18
Published