CVE-2018-9028

Vulnerability

CA Privileged Access Manager (PAM) version 2.x suffers from a weak password storage algorithm (CVE-2018-9028). The use of a non-salted, non-iterated cryptographic hash makes stored password digests susceptible to offline brute-force and dictionary attacks [1]. No authentication or special configuration is required to exploit this weakness once an attacker has access to the password database or configuration file containing the hashes.

Exploitation

An attacker with access to the credential store (e.g., via a previous compromise, SQL injection, or configuration file read) can rapidly crack the weak hashes using commodity hardware and freely available cracking tools. No user interaction or network authentication is needed beyond that initial access [1].

Impact

Successful cracking of a weak password hash discloses the plaintext password for the associated account. If the cracked account has administrative or privileged access in PAM, the attacker can gain unauthorized control over privileged session management, vault credentials, and monitored systems, leading to a full compromise of the managed infrastructure [1].

Mitigation

CA Technologies released a fix as part of the CA Privileged Access Manager 2.8 update. The advisory recommends upgrading to the latest version to implement stronger cryptographic storage for passwords [1]. No workarounds are described for systems that cannot immediately upgrade.