Can I access, configure or upgrade PAM or the underlying OS?
search cancel

Can I access, configure or upgrade PAM or the underlying OS?

book

Article ID: 143290

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Can external access be given to PAM so we can patch, configure or upgrade it?

Environment

Release : Any supported PAM release as of Sep 2022

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

Internal auditors want to know what version of the OS is, if it can be externally patched or upgraded.

Resolution

PAM releases supported as of Sep 2022 (4.0.0-4.1.1) run on a heavily customized Debian 9 (stretch) release with a custom 4.14 kernel. Most vulnerabilities that may affect Debian 9 in general do not affect PAM.
 
PAM is a closed appliance, accessible by users only through the HTTPS web service. We cannot allow SSH access by PAM admins or a Services team.
 
If Support decides in the context of an open case that SSH access is warranted, Support can provide the following during a remote session:
  • An SSH Debug Patch, which can be applied at any time without interrupting user activity
  • An SSH Private Key file for use with a PuTTY client
  • Activate "Remote CA PAM Debugging Services" on the Configuration > Diagnostics > System page.
  • Use a PuTTY client to connect to the PAM appliance with the private key.
  • Support will have to take control of the remote session. In addition to the private key a passphrase is required that Support cannot share with anyone outside of the PAM Support team.
  • Once all work is completed, Support exits out of the PuTTY session.
  • "Remote CA PAM Debugging Services" can be turned off to close the SSH port, if preferred.

Additional Information

Any vulnerability found in PAM is addressed with highest priority and will be included in hotfixes or maintenance releases as applicable.  If your internal security department thinks that there is a vulnerability in our appliance, then please open a support ticket and supply us the details.

Product Management has plans to upgrade the PAM operating system from Debian 9 to Debian 12, but they still don't know which version of PAM will have this upgrade (reference from Sep/2022)