// For flags

CVE-2024-38499

Improper Privilege Management Vulnerability in CA Client Automation 14.5

Severity Score

7.3
*CVSS v4

Exploit Likelihood

< 1%
*EPSS

Affected Versions

1
*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

CA Client Automation (ITCM) allows non-admin/non-root users to encrypt a string using CAF CLI and SD_ACMD CLI. This would allow the non admin user to access the critical encryption keys which further causes the exploitation of stored credentials. This fix doesn't allow a non-admin/non-root user to execute "caf encrypt"/"sd_acmd encrypt" commands.

The desktop and server management solution Broadcom CA DSM stores some configuration data of its agent component locally on managed systems in encrypted form. The encrypted configuration data may include sensitive data like user credentials of service accounts. On a managed client system, low-privileged Windows users are able to extract the used cryptographic key material that is used for encrypting specific configuration data by exploiting a design security issue using the Common Application Framework (CAF) command line tool. Version 14.5.0.15 is affected.

*Credits: Matthias Deeg (e-mail: matthias.deeg@syss.de, Twitter/X: @matthiasdeeg)
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Attack Requirements
Present
Privileges Required
Low
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-06-18 CVE Reserved
  • 2024-12-17 CVE Published
  • 2024-12-19 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
  • CWE-276: Incorrect Default Permissions
CAPEC
  • CAPEC-233: Privilege Escalation
Affected Vendors, Products, and Versions (1)