Hi Shannon.
Thanks for the additional infos (I have only seen the updates to this thread yesterday, my bad).
As for notifications: I visited the mail notification interface you linked. I have never visited this one before (I feel like there were a bunch of predecessors or parallel interfaces where I made similar selections in the past). THIS incarnation of an interface had checked "Critical Notification" and a bunch of other things, but "Security Notification" was unchecked. I made sure it's all checked now.
As for the required security fix: I'll toy today with our dev installation to implement the procedure you folks recommend for 12.3.8, and determine whether we need to download and distribute a key file for our ~900 agents individually, or whether that can somehow be streamlined by us. Again I will also need to give a management recommendation soon whether to perform this expensive action at all, or accept a (largely unspecified) security risk.
Let's just say all of this is not exactly a great situation for anyone involved.
Not to beat a dead horse too much, but: On another layer, the entire situation is, let's say, resurfacing more questions. For many years (back to pre-CA days), our company and others have asked the regents of Automic (a middle-ware handling both extremely sensitive data and credentials) for it to be independently audited for security. CA has told us that the software is audited by a reputable third party, but refused to divulge who that is, and any of the findings/reports. It would appear that security researchers unaffiliated with Broadcom have now uncovered a number of flaws. It would appear from the available information that this would pose major questions on the thoroughness of these independent audits.
About two years ago, I reported a security concern myself (one that is very high impact, albeit possibly also entirely or near-unavoidably ingrained in product design). I proposed a possible way to escalate this concern even further into a vulnerability (which, granted, I didn't test for because that required certain prep work, but would have appreciated an answer to). I deliberately reported this not to product management, but at that time to a security function published on the Broadcom website. It later turned out that this security function was merely inherited from Symantec. Yet I was told that Broadcom takes such reports seriously and will investigate, however, I never noted any further correspondence from Broadcom on the matter ever again.
Maybe it is time to rethink what Broadcom/Automic should do to rebuild trust in the security assurances for the product?
Thanks,
Carsten
Original Message:
Sent: Jun 20, 2022 05:38 PM
From: Shannon Hebert
Subject: Security Notice for CA Automic Automation
Hi Carsten and All,
Our notifications are sent from support-noreply@broadcom.com and contain a hyperlink that your corporate email security may have flagged. I'll look to ensure all is working as it should with our notifications, though please ensure you're signed up for all related Automic products by searching and enabling the notification from here: https://support.broadcom.com/user/notifications.html
Our goal with the recent security advisory is to ensure customers don't get compromised. We provided fixes and published a security advisory last year to give customers adequate time to upgrade. We chose not to disclose details publicly to protect customers and allow you time to upgrade/apply fixes. The security researcher requested public recognition, which is the reason for filing the CVEs, now updated here.
As stated in the announcement, the recommendation and solution for the Unix agent vulnerabilities are to update to at least 12.3.7. We recommend you use the latest version of the major release you're on, which is currently 12.3.8 HF3, and 21.0.3 HF1 was published today.
The recommendation for the Automation Engine vulnerability is to either turn on the local_remote authentication method or update it to 21.0. Both can be used. Or, if our customers use local_remote for authentication in 12.3 as a short to medium-term mitigation, it can be turned off in 21.0 using the method described in the documentation.
- It is also possible in version 21.0 to retrieve the authentication package through a REST method.
When considering what action to take, the risk is reduced substantially if your agents are protected within internal networks and have strict security guidelines for users. If agents are located on the DMZ/accessible to the internet, the AE engine, components, and agents should be upgraded to 12.3.7+ with local_remote or v21 with TLS in place as they're at risk. Each customer will have to assess the risk for themselves.
Broadcom PM, Engineering, and Support want to ensure customers take appropriate action to mitigate potential risk. We'll look over your upgrade plan and give feedback before your maintenance. If you're upgrading to v21.0, we have July 16th and October 15th open for 2022 Designated Upgrade Weekends.
Please create a Support case if you have any questions or would like us to review your plans.
Thanks,
-Shannon
Shannon Hebert
Manager of Automation Support
Broadcom Software
Original Message:
Sent: Jun 20, 2022 05:26 AM
From: Carsten Schmitz
Subject: Security Notice for CA Automic Automation
All: Broadcom has published an UPDATE to the security advisory.
I don't know about you, but I have NOT received email notification about this by Broadcom. Either way, here it is:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629
12.3.7+HF2 is NOT sufficient anymore, apparently one now needs 12.3.8 instead. Or maybe 21? Not sure. Apparently, writing unambiguous advisories is hard :(
For all vulnerabilities:
Upgrade UNIX Agents and Automation Engine to V21
The current and recommended releases are 21.0.3 or 12.3.8.
It also adds that for V12.3.x, the agent authentication method needs to be changed to LOCAL_REMOTE, which entails downloading, from AWI, a key file for every agent, and deploying it as a zip file to every agent (that has a key store).
Side note: For us, this means we'd need to download about 800 files manually, by hand, from AWI, and deploy them to computers that are managed by a third party. Which is NOT a workable process.
Original Message:
Sent: Jun 10, 2022 03:04 AM
From: Keld Mollnitz
Subject: Security Notice for CA Automic Automation
CA Technologies, A Broadcom Company, is alerting customers to multiple vulnerabilities in CA Automic Automation. Multiple vulnerabilities exist that can allow a remote attacker to execute arbitrary code or commands, access sensitive data, enumerate users, or elevate privileges. CA has published solutions to address this vulnerability and recommends that all affected customers implement these solutions.
More info can be found here:
Support Content Notification - Support Portal - Broadcom support portal
/Keld.