Today the DHS ICS-CERT published a new control system security advisory for a product from CA Technologies. Earlier this week I missed the fact that they also updated a previously published (and much updated) advisory for multiple products from Siemens.
CA Technologies Advisory
This advisory describes a directory traversal vulnerability in the CA Technologies Unified Infrastructure Management application. The vulnerability was reported by Andrea Micalizzi (rgod), working with Zero Day Initiative. CA Technologies has produced an update to mitigate the vulnerability. There is no indication that Andrea has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to create or overwrite critical files that are used to execute code, such as programs or libraries.
The CA Technologies Security Notice (not referenced in the ICS-CERT Advisory) includes two additional vulnerabilities:
• Insecure handling of session id’s - CVE-2016-9164; and
• Path traversal information disclosure - CVE-2016-9165