Advisory ID: SYSS-2024-085 Product: CA Client Automation (CA DSM) Manufacturer: Broadcom Affected Version(s): 14.5.0.15 Tested Version(s): 14.5.0.15 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-10-18 Solution Date: 2024-12-17 Public Disclosure: 2024-12-17 CVE Reference: CVE-2024-38499 Authors of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product CA Client Automation is a client management solution with many features including desktop and server management (DSM) functionality. The manufacturer describes the product as follows: "CA Client Automation delivers a complete view into your entire IT asset base and employs full automation and remote client management capabilities for managing the end user computing environment -- whether physical or virtual. No matter how complex your IT environment, it streamlines the daily operational tasks that bog down your IT organization, helping you run more efficiently and cost-effectively than ever before." Due to improper privilege management, low-privileged Windows users or malware running in their context are able to extract cryptographic keys that are used to encrypt locally stored configuration data, which is also accessible and can contain sensitive information, for example service account credentials. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The desktop and server management solution Broadcom CA DSM stores some configuration data of its agent component locally on managed systems in encrypted form. The encrypted configuration data may include sensitive data like user credentials of service accounts. On a managed client system, low-privileged Windows users are able to extract the used cryptographic key material that is used for encrypting specific configuration data by exploiting a design security issue using the Common Application Framework (CAF) command line tool. It was also analyzed how specific configuration data containing Windows account passwords is encrypted. With access to the used cryptographic encryption method, the corresponding cryptographic key material, and the encrypted configuration data, an attacker is thus able to gain access to locally stored sensitive data in cleartext. Depending on the locally stored secrets, recovered user credentials could be used for privilege escalation attacks and for gaining unauthorized access to other systems within the corporate network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Matthias Deeg developed a proof-of-concept software tool for extracting used cryptographic key material ("global" or "local" key) via the CAF process. The following output exemplarily demonstrates extracting the used "global" cryptographic key, which is saved in the output file "key_global.bin": D:\>CA_DSM_keydumper.exe global "C:\Program Files (x86)\CA\DSM\Bin\CAF.exe"