CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication
1860
29 November 2019
29 November 2019
OPEN
CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication
Issued: May 23, 2019
Last Updated: November 19, 2019
The Support team for CA Technologies, A Broadcom Company, is alerting customers to multiple potential risks with CA Risk Authentication and CA Strong Authentication. Multiple vulnerabilities exist that can allow a remote attacker to gain additional access in certain configurations or possibly gain sensitive information. CA published solutions to address the vulnerabilities and recommends that all affected customers implement these solutions immediately.
The first vulnerability, CVE-2019-7394, occurs due to insufficient verification of custom privileges. A malicious actor, who has access to an account with customized and limited privileges may, in some cases, access resources and act outside of assigned privileges. This exposure does not affect installations where accounts do not have custom privileges.
The second vulnerability, CVE-2019-7393, may enable a malicious actor to conduct UI redress attacks to gain sensitive information in some cases.
Risk Rating
Medium
Platform(s)
All supported platforms
Affected Products
CA Risk Authentication 9.0.02 and prior
CA Risk Authentication 8.2.02 and prior, 8.1.x, 8.0.x
CA Risk Authentication 3.1.01_CR01 and prior
CA Strong Authentication 9.0.02 and prior
CA Strong Authentication 8.2.02 and prior, 8.1.x, 8.0.x
CA Strong Authentication 7.1.01_CR01 and prior
How to determine if the installation is affected
Customers should review the solution section to determine whether the fixes are present in their installations.
Solution
CA Technologies published the following solutions to address the vulnerabilities. These fixes are available on the CA support site at https://casupport.broadcom.com/download-center/download-center.html.
To find the fixes, use the following instructions:
From the CA support homepage, https://casupport.broadcom.com, customers should expand the MENU drop down list, select DOWNLOAD MANAGEMENT, search for the product and select it from the drop down list (CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort), CA Strong Authentication, or CA Risk Authentication). After the results load for the product, select Solution Downloads, and select the appropriate product name. The fix will have a PUBLISHED SOLUTION name in the format of "CA-ADVANCEDAUTH-X.X_ADMIN_VULNERABILITIES", where X.X is the product version and a single corresponding fix number. Note that the fix number is different for some product platforms. All fix numbers may not be in the below list. Customers should contact support if further assistance is needed in determining the appropriate product fix.
Fix Table
Product versions |
Status |
Package name |
Solution/APAR number |
Risk Auth 9.0.02 |
Fix published |
SS08921 |
|
Risk Auth 9.0.01 |
Update to 9.0.02 and apply fix |
|
|
Risk Auth 9.0.00 |
Fix published |
SS08147 |
|
Risk Auth 8.2.2 |
Update to 8.2.2 CP1 |
|
|
Risk Auth 8.2.1 |
Fix published |
SS10857 |
|
Risk Auth 8.2.00 |
Fix published |
SS08132 |
|
Risk Auth 8.1.3 |
Fix published |
SS09322 |
|
Risk Auth 3.1.01 |
Fix published |
SS08144 |
|
Strong Auth 9.0.02 |
Fix published |
SS09555 |
|
Strong Auth 9.0.01 |
Update to 9.0.02 and apply fix |
|
|
Strong Auth 9.0.00 |
Fix published |
SS08146 |
|
Strong Auth 8.2.2 |
Update to 8.2.2 CP1 |
|
|
Strong Auth 8.2.1 |
Fix published |
SS10856 |
|
Strong Auth 8.2.00 |
Fix published |
SS08143 |
|
Strong Auth 8.1.3 |
Fix published |
SS09321 |
|
Strong Auth 7.1.01 |
Fix published |
SS08145
|
References
CVE-2019-7394 - CA Risk Authentication and Strong Authentication Privilege Escalation
CVE-2019-7393 - CA Risk Authentication and Strong Authentication Privilege UI Redress
Acknowledgement
CVE-2019-7393, CVE-2019-7394 - Rohit Yadav
Change History
Version 1.0: Initial Release
Version 1.1: 2019-05-23 - Corrected CVE identifier, added direct fix links
Version 2: 2019-06-06 - Updated affected versions, fix guidance and clarified fix versions
Version 3: 2019-08-08 - Added fix table with additional fix guidance
Version 4: 2019-11-19 - Added additional fix guidance for 8.2.1, 8.2.2
CA customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact CA Technologies Support at https://casupport.broadcom.com/.
To report a suspected vulnerability in a CA Technologies product, please send a summary to the CA Technologies Product Vulnerability Response Team.