cbcvebase.
CVE-2020-8012
published 2020-02-18

CVE-2020-8012: CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller)…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.57%
99.5th percentile
CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.

Affected

4 ranges
VendorProductVersion rangeFixed in
broadcomunified_infrastructure_management<= 9.20
broadcomunified_infrastructure_management
broadcomunified_infrastructure_management20.3.0 – 20.3.3
ca_technologies_a_broadcom_companyca_unified_infrastructure_management

Detection & IOCsextracted from sources · hover to see the quote

port48156
commanddirectory_list
version7.80 [Build 7.80.3132, Jun 1 2015]
bytes
6e 69 6d 62 75 73 2f 31 2e 30 20
bytes
6d 74 79 70 65 0F 37 0F 34 0F 31 30 30 0F 63 6d 64 0F
  • Detect exploitation attempts by monitoring for Nimbus protocol packets (magic bytes 'nimbus/1.0') containing a directory_list probe with oversized arguments — the buffer overflow is triggered via a specially crafted directory_list probe to the nimcontroller (robot) component.
  • Alert on network traffic beginning with the Nimbus/1.0 protocol header bytes (\x6e\x69\x6d\x62\x75\x73\x2f\x31\x2e\x30\x20) from unauthenticated/external sources, especially if followed by a directory_list command.
  • Exploitation requires CVE-2020-8010 to also be present on the target to reach the directory_list probe; correlate detections for both CVEs on the same host.
  • The exploit is unauthenticated and targets a fully remote x64 stack-based buffer overflow that bypasses the stack cookie; monitor for unexpected child processes or network connections spawned from the nimcontroller/robot service process.
  • The PoC shellcode is a windows/x64/meterpreter/reverse_tcp payload; detect the shellcode stub bytes \xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00 in network streams or memory of the nimcontroller process.
  • The exploit does not crash the service, making it stealthy; rely on behavioral detection (unexpected outbound connections, new processes) rather than crash/fault monitoring for the nimcontroller service.
  • ·The PoC hardcodes a specific LHOST/LPORT in the shellcode (192.168.159.157:42); real-world attackers will substitute their own callback address, so do not rely on these specific values for detection.
  • ·The PoC uses a hardcoded fake client address '127.0.0.1/1337' in the Nimbus frm field; this may differ in other exploit variants.
  • ·The exploit may require multiple attempts on Windows Server 2012; a single failed connection attempt should not be treated as definitive evidence of non-exploitation.
  • ·Affected versions span CA UIM 20.1, 20.3.x, and 9.20 and below per the NVD advisory, not just the 7.80 build tested in the PoC; detection and patching scope should cover all listed versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.