CVE-2018-13826
📋 TL;DR
This CVE describes an XML external entity (XXE) vulnerability in CA PPM's XOG functionality that allows remote attackers to conduct server-side request forgery (SSRF) attacks. Attackers can exploit this to read internal files, scan internal networks, or potentially execute remote code. Affected versions include CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below.
💻 Affected Systems
- CA PPM (Project and Portfolio Management)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Server-side request forgery allowing internal network scanning, file disclosure, and potential data leakage.
If Mitigated
Limited impact with proper network segmentation, XML parsing restrictions, and input validation in place.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploitation techniques available. The advisory indicates remote attackers can exploit this.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply patches as specified in CA Security Notice CA20180829-01
Vendor Advisory: https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html
Restart Required: Yes
Instructions:
1. Review CA Security Notice CA20180829-01. 2. Download appropriate patches from CA Support. 3. Apply patches following CA's installation instructions. 4. Restart CA PPM services. 5. Verify the fix using the verification steps below.
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parsers to disable external entity resolution and DTD processing
Configure XML parser settings: set features like javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING to true
Disable DTD processing in XML parsers
Network segmentation
allRestrict network access to CA PPM instances and limit outbound connections from affected servers
Configure firewall rules to limit CA PPM server outbound connections
Implement network segmentation to isolate CA PPM from sensitive internal systems
🧯 If You Can't Patch
- Disable XOG functionality if not required for business operations
- Implement strict input validation and XML schema validation for all XOG requests
🔍 How to Verify
Check if Vulnerable:
Check CA PPM version against affected versions list. Test with XXE payloads targeting XOG endpoints if authorized.Check Version:
Check CA PPM administration console or consult CA documentation for version checking commands specific to your installation.Verify Fix Applied:
Apply patches and test that XXE payloads no longer succeed. Verify version is updated beyond vulnerable ranges.📡 Detection & Monitoring
Log Indicators:
- Unusual XML requests to XOG endpoints
- Requests containing XML external entity declarations
- Outbound connections from CA PPM server to unexpected internal systems
Network Indicators:
- XML payloads with DOCTYPE declarations or external entity references sent to CA PPM
- Unusual outbound traffic patterns from CA PPM servers
SIEM Query:
source="CA_PPM" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")🔗 References
- http://www.securityfocus.com/bid/105297
- https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html
- http://www.securityfocus.com/bid/105297
- https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180829-01--security-notice-for-ca-ppm.html
