CVE-2020-29478
📋 TL;DR
CA Service Catalog versions 17.2 and 17.3 have a vulnerability in the default Setup Utility configuration that allows remote attackers to trigger a denial of service condition. This affects organizations using these specific versions of CA Service Catalog with the default configuration.
💻 Affected Systems
- CA Service Catalog
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability of CA Service Catalog, disrupting IT service management operations and potentially affecting dependent business processes.
Likely Case
Temporary service disruption requiring system restart or configuration changes to restore functionality.
If Mitigated
Minimal impact if proper network segmentation and access controls prevent unauthorized access to the Setup Utility.
🎯 Exploit Status
The vulnerability is in default configuration, suggesting straightforward exploitation by sending crafted requests to the Setup Utility.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the security patch provided by Broadcom/CA
Vendor Advisory: https://support.broadcom.com/security-advisory/content/security-advisories/CA20201215-01-Security-Notice-for-CA-Service-Catalog/ESDSA16810
Restart Required: Yes
Instructions:
1. Download the security patch from Broadcom support portal. 2. Apply the patch following vendor instructions. 3. Restart CA Service Catalog services. 4. Verify the fix by checking version and testing Setup Utility.
🔧 Temporary Workarounds
Restrict Network Access to Setup Utility
allConfigure firewall rules to limit access to the Setup Utility port to trusted administrative networks only.
# Example iptables rule for Linux: iptables -A INPUT -p tcp --dport [SetupUtilityPort] -s [TrustedIP] -j ACCEPT
# Example Windows Firewall: New-NetFirewallRule -DisplayName "Block CA Setup Utility" -Direction Inbound -Protocol TCP -LocalPort [SetupUtilityPort] -Action Block
Disable Setup Utility if Not Needed
allTemporarily disable the Setup Utility service if it's not required for ongoing operations.
# Linux: systemctl stop [SetupUtilityServiceName]
# Windows: Stop-Service -Name [SetupUtilityServiceName]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CA Service Catalog from untrusted networks.
- Monitor Setup Utility access logs for unusual activity and set up alerts for DoS attempts.
🔍 How to Verify
Check if Vulnerable:
Check if running CA Service Catalog version 17.2 or 17.3 and verify if Setup Utility is accessible remotely with default configuration.Check Version:
Check CA Service Catalog administration console or configuration files for version information.Verify Fix Applied:
After patching, confirm version is updated and test that the Setup Utility no longer accepts malicious requests causing DoS.📡 Detection & Monitoring
Log Indicators:
- Unusual high volume of requests to Setup Utility endpoint
- Error logs indicating service crashes or restarts
- Failed authentication attempts to Setup Utility if authentication is enabled
Network Indicators:
- Spike in traffic to Setup Utility port
- Requests with malformed payloads targeting Setup Utility
SIEM Query:
source="CA_Service_Catalog" AND (event_type="DoS" OR error_code="service_unavailable")