CVE-2022-33750
📋 TL;DR
CVE-2022-33750 is an authentication bypass vulnerability in CA Automic Automation agents that allows remote attackers to execute arbitrary commands without valid credentials. This affects organizations using CA Automic Automation 12.2 and 12.3 for workload automation. The vulnerability enables complete system compromise of affected automation servers.
💻 Affected Systems
- CA Automic Automation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full control of the Automic agent system, enabling arbitrary command execution, data theft, lateral movement, and deployment of persistent malware.
Likely Case
Attackers exploit the vulnerability to execute commands on vulnerable agents, potentially compromising automation workflows, stealing credentials, and establishing footholds in the environment.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated automation environment, preventing lateral movement to critical systems.
🎯 Exploit Status
The authentication bypass nature makes exploitation straightforward once the vulnerability details are understood. No public exploit code is known, but the vulnerability is easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply patches provided by Broadcom/CA
Vendor Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20629
Restart Required: Yes
Instructions:
1. Download the security patch from Broadcom support portal. 2. Apply the patch to all affected Automic Automation installations. 3. Restart all Automic agents and services. 4. Verify patch application and functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Automic Automation systems from untrusted networks and limit access to trusted management IPs only.
Use firewall rules to restrict access to Automic agent ports (default 2210/TCP) to trusted management networks only.
Access Control Lists
linuxImplement network-level access controls to restrict which systems can communicate with Automic agents.
Configure firewall/ACL rules: iptables -A INPUT -p tcp --dport 2210 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 2210 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Automic systems from untrusted networks
- Deploy host-based firewalls to restrict inbound connections to Automic agent ports
🔍 How to Verify
Check if Vulnerable:
Check Automic Automation version via administrative console or by examining installed software version. Versions 12.2 and 12.3 are vulnerable.Check Version:
Check version via Automic administrative interface or examine installation directory version files.Verify Fix Applied:
Verify patch application through administrative console or by checking version information post-patching. Ensure no unauthorized connections to agent ports.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to Automic agent ports (default 2210)
- Unusual command execution patterns in Automic logs
- Authentication bypass attempts in agent logs
Network Indicators:
- Unexpected network connections to port 2210/TCP from untrusted sources
- Unusual outbound connections from Automic agents
SIEM Query:
source_port:2210 AND (src_ip NOT IN trusted_networks) OR (automic.agent.auth_bypass_detected)