CVE-2018-9024

Vulnerability

CVE-2018-9024 is an improper authentication vulnerability in CA Privileged Access Manager (PAM) versions 2.x. The flaw resides in the log handling mechanism, where the application fails to properly authenticate the source of IP address data. This allows a remote attacker to inject spoofed IP addresses into log entries. Affected versions include all CA PAM 2.x releases prior to the patch released in June 2018.

Exploitation

An attacker with network access to the CA PAM management interface can craft requests with arbitrary IP address values in certain fields. The application logs these values without proper validation or authentication of the source, leading to spoofed IP addresses in the log files. The attack does not require prior authentication or user interaction, as the vulnerability exists in the logging logic invoked during standard network communication.

Impact

Successful exploitation allows a remote attacker to masquerade as another machine by injecting fake IP addresses into the log files. This can mislead administrators or automated monitoring systems, potentially obscuring unauthorized access or causing incorrect attribution of actions. The impact is limited to log integrity, with no direct access to sensitive data or system commands. According to the CVSS score (3.5, low), the vulnerability has low severity due to the lack of direct system compromise.

Mitigation

CA Technologies released a security notice on June 14, 2018 [1], which includes patches for CA Privileged Access Manager 2.x. Users should update to the latest supported version to remediate this issue. No workarounds are documented, but verifying log consistency through additional monitoring may reduce the risk. The vulnerability is not listed on the CISA KEV.