A security issue has been fixed between the Automation Engine and the Servicemanager. (AE-26648) in 12.3.6 HF2. What is the impact of this bug?

book

Article ID: 224476

calendar_today

Updated On:

Products

CA Automic One Automation

Issue/Introduction

AE v12.3.6 HF2 includes a fix for a bug related to the Service Manager

A security issue has been fixed between the Automation Engine and the Servicemanager. (AE-26648)

What is the impact of this bug?

Environment

Release : 12.3.6 

Component : Automation Engine

Resolution

This problem came in picture when client ran penetration tests on Service Manager 12.3.3 (and 12.2.2) and figured out how the AE does the authentication for the connection to the Service Manager: it uses a undocumented password parameter with a timestamp value.

This can be done by the user directly by using a timestamp via CLI as well:

UCYBSMCl.exe -c GET_PROCESS_LIST -h FE0VM1134 -n AE12EUP5 -p $((GetDate).ToUniversalTime().ToString("yyyMMdd$([char]0x01)HHmmss"))


So the user can basically authenticate without a password.

To change this behavior/security hole we would have to adapt the SMGR, AE, and provide a way to manage passwords. Its resolved in AE-26648.