Login Sign Up

CVE-2020-8010

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-8010 is a critical vulnerability in CA Unified Infrastructure Management (Nimsoft/UIM) that allows remote attackers to execute arbitrary commands, read files, or write to the target system due to improper ACL handling in the robot controller component. This affects organizations running vulnerable versions of CA UIM for infrastructure monitoring and management.

💻 Affected Systems

Products:
  • CA Unified Infrastructure Management
  • Nimsoft
  • UIM
Versions: 9.20 and below, 20.1, 20.3.x
Operating Systems: All supported platforms (Windows, Linux, Unix)
Default Config Vulnerable: ⚠️ Yes
Notes: The robot controller component is vulnerable in default configurations. All deployments with affected versions are at risk.

📦 What is this software?

Unified Infrastructure Management by Broadcom

View all CVEs affecting Unified Infrastructure Management →

Unified Infrastructure Management by Broadcom

View all CVEs affecting Unified Infrastructure Management →

Unified Infrastructure Management by Broadcom

View all CVEs affecting Unified Infrastructure Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement across the network.

🟠

Likely Case

Unauthorized access to sensitive monitoring data, system configuration manipulation, or deployment of malware on affected systems.

🟢

If Mitigated

Limited impact through network segmentation and strict access controls, though the vulnerability remains present.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances extremely vulnerable.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows attackers with network access to compromise systems without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in Packet Storm Security references. The vulnerability requires no authentication and has low exploitation complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 9.20, 20.1, and 20.3.x - consult Broadcom advisory for specific fixed versions

Vendor Advisory: https://support.broadcom.com/external/content/security-advisories/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832

Restart Required: Yes

Instructions:

1. Review Broadcom security advisory CA20200205-01. 2. Download and apply the latest patches from Broadcom support portal. 3. Restart affected UIM services. 4. Verify patch installation and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to UIM robot controller ports to only trusted management networks

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port port="48000-48099" protocol="tcp" accept'
netsh advfirewall firewall add rule name="Block UIM Robot" dir=in action=block protocol=TCP localport=48000-48099 remoteip=any

Service Account Hardening

all

Run UIM services with minimal privileges and implement strict service account controls

chmod 750 /opt/nimsoft/bin/nimbus
icacls "C:\Program Files\Nimsoft\bin\nimbus.exe" /deny Everyone:(RX)

🧯 If You Can't Patch

  • Isolate vulnerable systems in a dedicated VLAN with strict firewall rules allowing only necessary traffic
  • Implement network monitoring and intrusion detection specifically for UIM robot controller traffic on ports 48000-48099

🔍 How to Verify

Check if Vulnerable:

Check UIM version using 'nimconfig -v' or review installation directory version files. Compare against affected versions: 9.20 and below, 20.1, 20.3.x

Check Version:

nimconfig -v  (Linux/Unix) or check version in C:\Program Files\Nimsoft\version.txt (Windows)

Verify Fix Applied:

Verify patch installation by checking version is above affected ranges and testing robot controller functionality

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized connection attempts to robot controller ports (48000-48099)
  • Unusual process execution from UIM service accounts
  • Failed authentication attempts followed by successful command execution

Network Indicators:

  • Unexpected network traffic to/from UIM robot controller ports
  • Suspicious command and control traffic originating from UIM systems

SIEM Query:

source="uim_logs" AND (event_type="connection" AND dest_port IN (48000-48099) AND src_ip NOT IN (trusted_ips)) OR (process_execution="cmd.exe" OR process_execution="/bin/bash" AND parent_process="nimbus")

📊 Metadata

CVE ID: CVE-2020-8010
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 18, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON