CVE-2019-13656 – This is a critical remote code execution vulner... (How to Fix)

Q: What is the severity of CVE-2019-13656?

CVE-2019-13656 has a CVSS score of 9.8 (CRITICAL). This is a critical remote code execution vulnerability in CA Common Services DIA that allows unauthenticated attackers to execute arbitrary code on affected systems. It affects CA Client Automation 14 and Workload Automation AE 11.3.5-11.3.6 installations with the vulnerable component enabled.

📋 TL;DR

This is a critical remote code execution vulnerability in CA Common Services DIA that allows unauthenticated attackers to execute arbitrary code on affected systems. It affects CA Client Automation 14 and Workload Automation AE 11.3.5-11.3.6 installations with the vulnerable component enabled.

💻 Affected Systems

Products:

CA Client Automation
CA Workload Automation AE

Versions: CA Client Automation 14, CA Workload Automation AE 11.3.5, 11.3.6

Operating Systems: Windows, Linux (where CA software is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CA Common Services DIA component to be installed and running. The vulnerability is in the DIA service itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Initial foothold for attackers to establish persistence, steal credentials, and move laterally within the network environment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts from reaching vulnerable systems.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing systems immediate targets.

🏢 Internal Only: HIGH - Even internally, any system with the vulnerable service exposed on the network can be compromised by attackers who gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making this easily weaponizable. The vulnerability requires no authentication and has low technical barriers to exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Broadcom/CA security advisory CA20190904-01

Vendor Advisory: https://casupport.broadcom.com/us/product-content/recommended-reading/security-notices/CA20190904-01--security-notice-for-ca-common-services-distributed-intelligence-architecture-dia.html

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Broadcom support portal. 2. Stop all CA services. 3. Apply the patch according to vendor instructions. 4. Restart CA services. 5. Verify patch application.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to CA DIA service ports (default 5250/tcp and 5251/tcp) using firewall rules

# Windows: netsh advfirewall firewall add rule name="Block CA DIA" dir=in action=block protocol=TCP localport=5250,5251
# Linux: iptables -A INPUT -p tcp --dport 5250:5251 -j DROP

Service Disablement

all

Temporarily disable the CA Common Services DIA service if not required

# Windows: sc stop "CA Common Services DIA" && sc config "CA Common Services DIA" start= disabled
# Linux: systemctl stop ca-dia && systemctl disable ca-dia

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks
Deploy host-based intrusion prevention systems (HIPS) to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if CA Common Services DIA service is running and version matches affected range. Use: netstat -an | findstr :5250 on Windows or ss -tlnp | grep :5250 on Linux.

Check Version:

# Windows: sc query "CA Common Services DIA" | findstr STATE
# Check CA product version through Control Panel or installation directory

Verify Fix Applied:

Verify patch installation through CA management console or check service version. Ensure the service no longer accepts unauthenticated remote commands.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from CA DIA service
Failed authentication attempts to CA services
Unexpected network connections to port 5250/5251

Network Indicators:

Unusual traffic patterns to/from port 5250 or 5251
Malformed packets targeting CA DIA service
Command and control traffic originating from CA-managed systems

SIEM Query:

source="*ca*" AND (port=5250 OR port=5251) AND (event_type="process_creation" OR event_type="network_connection")

📊 Metadata

CVE ID: CVE-2019-13656

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: September 6, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/154418/CA-Common-Services-Distributed-Intelligence-Architecture-DIA-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Sep/15 Mailing List,Third Party Advisory
https://casupport.broadcom.com/us/product-content/recommended-reading/security-notices/CA20190904-01--security-notice-for-ca-common-services-distributed-intelligence-architecture-dia.html Vendor Advisory
https://seclists.org/bugtraq/2019/Sep/14 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/154418/CA-Common-Services-Distributed-Intelligence-Architecture-DIA-Code-Execution.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2019/Sep/15 Mailing List,Third Party Advisory
https://casupport.broadcom.com/us/product-content/recommended-reading/security-notices/CA20190904-01--security-notice-for-ca-common-services-distributed-intelligence-architecture-dia.html Vendor Advisory
https://seclists.org/bugtraq/2019/Sep/14 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13656, you might also want to check these: