CVE-2020-8012
published 2020-02-18CVE-2020-8012: CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller)…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.57%
99.5th percentile
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | unified_infrastructure_management | <= 9.20 | — |
| broadcom | unified_infrastructure_management | — | — |
| broadcom | unified_infrastructure_management | 20.3.0 – 20.3.3 | — |
| ca_technologies_a_broadcom_company | ca_unified_infrastructure_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
6e 69 6d 62 75 73 2f 31 2e 30 20
bytes↗
6d 74 79 70 65 0F 37 0F 34 0F 31 30 30 0F 63 6d 64 0F
- →Detect exploitation attempts by monitoring for Nimbus protocol packets (magic bytes 'nimbus/1.0') containing a directory_list probe with oversized arguments — the buffer overflow is triggered via a specially crafted directory_list probe to the nimcontroller (robot) component. ↗
- →Alert on network traffic beginning with the Nimbus/1.0 protocol header bytes (\x6e\x69\x6d\x62\x75\x73\x2f\x31\x2e\x30\x20) from unauthenticated/external sources, especially if followed by a directory_list command. ↗
- →Exploitation requires CVE-2020-8010 to also be present on the target to reach the directory_list probe; correlate detections for both CVEs on the same host. ↗
- →The exploit is unauthenticated and targets a fully remote x64 stack-based buffer overflow that bypasses the stack cookie; monitor for unexpected child processes or network connections spawned from the nimcontroller/robot service process. ↗
- →The PoC shellcode is a windows/x64/meterpreter/reverse_tcp payload; detect the shellcode stub bytes \xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00 in network streams or memory of the nimcontroller process. ↗
- →The exploit does not crash the service, making it stealthy; rely on behavioral detection (unexpected outbound connections, new processes) rather than crash/fault monitoring for the nimcontroller service. ↗
- ·The PoC hardcodes a specific LHOST/LPORT in the shellcode (192.168.159.157:42); real-world attackers will substitute their own callback address, so do not rely on these specific values for detection. ↗
- ·The PoC uses a hardcoded fake client address '127.0.0.1/1337' in the Nimbus frm field; this may differ in other exploit variants. ↗
- ·The exploit may require multiple attempts on Windows Server 2012; a single failed connection attempt should not be treated as definitive evidence of non-exploitation. ↗
- ·Affected versions span CA UIM 20.1, 20.3.x, and 9.20 and below per the NVD advisory, not just the 7.80 build tested in the PoC; detection and patching scope should cover all listed versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
exploitdb·2020-03-02·CVSS 9.8
CVE-2020-8012 [CRITICAL] CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
---
# Exploit Title: CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
# Exploit Author: wetw0rk
# Exploit Version: Public POC
# Vendor Homepage: https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en
# Software Version : 7.80
# Tested on: Windows 10 Pro (x64), Windows Server 2012 R2 Standard (x64)
# CVE: CVE-2020-8012
/**************************************************************************************************************************
* *
* Description: *
* *
* Unauthenticated Nimbus nimcontroller RCE, tested against build 7.80.3132 although multiple versions are affected. *
* The exploit won't crash the service. *
* *
* You may have to run the exploit code multiple tim
Metasploit
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
metasploit·CVSS 9.8
CVE-2020-8010 [CRITICAL] CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller. The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list probe. Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the directory_list probe.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156577/Nimsoft-nimcontroller-7.80-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158693/CA-Unified-Infrastructure-Management-Nimsoft-7.80-Buffer-Overflow.htmlhttps://support.broadcom.com/external/content/security-advisories/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2019/ca20200205-01-security-notice-for-ca-unified-infrastructure-management.htmlhttp://packetstormsecurity.com/files/156577/Nimsoft-nimcontroller-7.80-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/158693/CA-Unified-Infrastructure-Management-Nimsoft-7.80-Buffer-Overflow.htmlhttps://support.broadcom.com/external/content/security-advisories/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2019/ca20200205-01-security-notice-for-ca-unified-infrastructure-management.html
2020-02-18
Published