CA20190117-01: Security Notice for CA Service Desk Manager

[Kevin Kotas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CA20190117-01: Security Notice for CA Service Desk Manager

Issued: January 17, 2019
Last Updated: January 17, 2019

CA Technologies Support is alerting customers to multiple potential
risks with CA Service Desk Manager. Multiple vulnerabilities exist
that can allow a remote attacker to access sensitive information or
possibly gain additional privileges. CA published solutions to
address the vulnerabilities.

The first vulnerability, CVE-2018-19634, is due to how survey access
is implemented. A malicious actor can access and submit survey
information without authentication.

The second vulnerability, CVE-2018-19635, allows for a malicious
actor to gain additional privileges.

Risk Rating

High

Platform(s)

All platforms

Affected Products

CA Service Desk Manager 14.1
CA Service Desk Manager 17

How to determine if the installation is affected

CA Service Desk Manager r14.1:
Versions prior to 14.1.05.1 are vulnerable.

CA Service Desk Manager r17 Windows:
Versions 17.1.0.1 and prior without the 17.1.0.1 language patch in
the solution section are vulnerable

CA Service Desk Manager r17 Linux:
Versions prior to 17.1.0.2 are vulnerable

Solution

CA Technologies published the following solutions to address the
vulnerabilities.

CA Service Desk Manager r14.1:

Update to CA Service Desk Manager 14.1.05.1. The rollup patches are
available on the CA Service Desk Manager 14.1 Solutions & Patches
page.

Windows - SO05733
Sun - SO05716
Linux - SO05715

CA Service Desk Manager R17 Linux:
Update to 17.1.0.2 from the CA Service Desk Manager 17.1 Solutions
& Patches page.

CA Service Desk Manager R17 Windows:
Update to 17.1.0.2. Alternatively, update to 17.1.0.1 and install the
corresponding language patch for the Service Desk Manager
installation. All fixes are available on the CA Service Desk Manager
17.1 Solutions & Patches page.

Chinese - SO06055
English - SO06036
French - SO06051
French Canadian - SO06039
German - SO06037
Italian - SO06052
Japanese - SO06053
Portuguese - SO06054
Spanish - SO06038

References

CVE-2018-19634 - CA Service Desk Manager survey access
CVE-2018-19635 - CA Service Desk Manager privilege escalation

Acknowledgement

CVE-2018-19634 and CVE-2018-19635 - Bui Duy Hiep

Change History

Version 1.0: 2019-01-17 - Initial Release

CA customers may receive product alerts and advisories by subscribing
to Proactive Notifications.

Customers who require additional information about this notice may
contact CA Technologies Support at http://support.ca.com/.

To report a suspected vulnerability in a CA Technologies product,
please send a summary to CA Technologies Product Vulnerability
Response at vuln  ca.com

Security Notices and PGP key
support.ca.com/irj/portal/anonymous/phpsbpldgpg
www.ca.com/us/support/ca-support-online/documents.aspx?id=177782

Kevin Kotas
Vulnerability Response Director
CA Technologies Product Vulnerability Response

Copyright 2019 Broadcom. All Rights Reserved. The term "Broadcom"
refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA technologies
logo are among the trademarks of Broadcom. All trademarks, trade
names, service marks and logos referenced herein belong to their
respective companies.

-BEGIN PGP SIGNATURE-
Charset: utf-8

wsFVAwUBXEDDEblJjor7ahBNAQhpKw/+MdbnJY7q2pYojS3XvSOhWjdm6H41akB5
mXjsGQLhpRvLV+sS3p1+l+JK9F8x7Gi0+tJaCMILq8eGj7hIfgrm+J38XxcQIfJd
xPqXeuoeM6Fghd3AgNriecleIELjt32zCy4JpDMiiUDu1+dYpsURHBTiN2YITBMn
V11TMq8lvJua10z81OFgm+Kj95qdDfu1NKV+A+Nmtdey+6fxEEWiOBCE01EZC+M9
4cY1vLVQdY+Kkv2GN0P89rKzkWg5UCGjLSbcbnz9+STGRoT5VEcatiZFVSYtudUZ
KQSu0UIoPDOxGSn+EE+PSBgP0e3R0ke1swXN8kIghmAthCaFVyTVBRUpTpOKYg3o
AjQfiRlowBnNoeRtdZltLuWTEIY+5gpduN5pRLTgeTbwbGV9IaK2uxjNy3g4PvfG
PApvtbxxPSOwwTTMtD2jAdiSxOeEbh+vhaBX4BjaUGPysMgsBgVbARntIYySu78X
YL8tf9N04y3r+nEGP6jCgIAHU5NajAubx6FaHDS1rOnuEZ3y6+r/kOOy38dfQygk
ASdeG12cXd8/I6UFDphk9DcBhO61z9EgZ4DatfXvtBuuirkwdaavbx4UN8DX9pPX
TMKvFVhPn259nDQG95uMZSHgXAygWEr8wlPn0ef0JjszeZnAsiLnRE149zeGyG75
QD/9yo0kzx8=
=4XWm
-END PGP SIGNATURE-

Defense in depth -- the Microsoft way (part 59): we only fix every other vulnerability

[Stefan Kanthak]

Hi @ll

the executable self-extractor (and its payload too)

for the "Microsoft Office Subject Interface Packages for Digitally Signing VBA 
Projects",
available via ,
published April 19 2018, is (SURPRISE!) vulnerable!

Vulnerability #1


On a fully patched Windows 7, officesips.exe loads at least the
following system DLLs from its "application directory" instead
from Windows' "system directory" %SystemRoot%\System32\:

UXTheme.dll, Cabinet.dll, Version.dll, WindowsCodecs.dll,
AppHelp.dll, SrvCli.dll, CSCAPI.dll, SLC.dll, Secur32.dll,
NTMARTA.dll, SAMCli.dll, SAMLib.dll, NetUtils.dll

For executable self-extractors and installers the "application
directory" is typically the user's "Downloads" directory
%USERPROFILE%\Downloads, where the unprivileged user or an
attacker can place these DLLs (the latter for example per
"drive by" download), resulting in arbitrary code execution.

See 
and 
plus 
for this well-known and well-documented vulnerability.

Also see Microsofts own guidance
,
,
 and

for avoiding such BEGINNER'S ERRORS!

Proof of concept:
~

1. follow the instructions on
   
   and build "forwarder" DLLs for the above named system DLLs in
   your "Downloads" directory.

2. fetch
   

   and save it in your "Downloads" directory.

3. run officesips.exe per double-click: notice the message boxes
   displayed from the DLLs built in step 1.


FIX: DUMP ALL THESE VULNERABLE EXECUTABLES!
 Provide an authenticode signed .CAB with the payload instead!


The icing on the cake: the "application manifest" embedded within
the executable self-extractor specifies "requireAdministrator", thus
resulting in arbitrary code execution WITH escalation of privilege.


But it's not over yet: as recommended by the included readme.txt,
extract the files into the well-secured %ProgramFiles% directory
(this is easy, as the self-extractor already acquired the necessary
administrative privileges already.-).

Following the instructions from the readme.txt, start an elevated
command prompt via [Shift] right-click and (try to) register the
extracted DLLs via the following command lines:

REGSVR32.exe "%ProgramFiles%\vbe7.dll"
REGSVR32.exe "%ProgramFiles%\msosip.dll"
REGSVR32.exe "%ProgramFiles%\msosipx.dll"


Vulnerability #2


These command lines load the following DLLs from the PATH, calling
their entry point function with administrative privileges:

MSVCR100.dll, VCRuntime140.dll and MSVCP140.dll

Since these DLLs are NOT shipped with Windows they are searched via
the PATH; if these DLLs are not found, REGSVR32.exe displays an error
message, clearly indicating this weakness.

AGAIN see 
and 
plus 
for this well-known and well-documented vulnerability.

(Unprivileged) users have FULL control over their own PATH environment
variable stored in the following registry entry

[HKEY_CURRENT_USER\Environment]
"PATH"="[;...]"

During user logon, the user's PATH is appended to the machine's PATH.
The (unprivileged) user can also change the PATH environment variable
ANY time after logon.
The (changed) PATH is inherited by EVERY new process, including the
elevated command prompt started by the user via [Shift] right-click.

Proof of concept:
~

1. dump the imports referenced by VBE7.dll, MSOSIP.dll and MSOSIPX.dll
   in their load-time dependencies MSVCR100.dll, MSVCP140.dll and
   VCRuntime140.dll:

   LINK.exe /DUMP /IMPORTS /OUT:officesips.txt "%ProgramFiles%\vbe7.dll" 
"%ProgramFiles%\msosip.dll" "%ProgramFiles%\msosipx.dll"

2. use an arbitrary text editor to generate module definition files
   MSVCR100.def, MSVCP140.def and VCRuntime140.def from the output
   file officesips.txt

--- MSVCR100.def ---
LIBRARY MSVCR100

EXPORTS
   __clean_type_info_names_internal=_dummy
   ?_type_info_dtor_internal_method@type_info@@QAEXXZ=_dummy
   ...
--- EOF ---

3. create the following text file:

--- officesips.c ---
#include 

BOOL WINAPI _DllMainCRTStartup(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID 
lpvReserved)
{
MessageBoxW((HWND) NULL, L"pwned!", L"pwned!", MB_ICONERROR);
r