CA UniCenter Management Portal Username Enumeration Vulnerability

[thomas adams <tgadams@xxxxxxxxxxxxx>]

CA UniCenter Management Portal Username Enumeration Vulnerability

Package:                CA UniCenter Management Portal
Vendor Web Site:        http://www.ca.com
Versions:               UniCenter Management Portal 2.0 and 3.1
Platform:               Windows
Local:                  No
Remote:                 Yes
Fix Available:          Yes
Advisory Author:        Thomas Adams (tgadams@xxxxxxxxxxxxx)


Background:
From www.ca.com: "Unicenter Management Portal provides intuitive access to 
enterprise management information,offering a personalized web interface for 
various Unicenter management solutions. Security and administrative control are 
provided through pre-defined workplaces. Filtered event notifications can be 
customized to suit individual roles and responsibilities, for personalized 
views tailored to your users' unique needs."
The portal provides a forgot password link, that does not give a proper 
response for an invalid user. Using a script, an attacker can quickly find 
users that have access to the web interface using the technique below. This 
will help facilitate brute force attacks 
against the server.



Exploit:
Connect to the management portal(default 8080). Choose the 'Forgot your 
Password?' option. Enter a username, such as test. If the test account does not 
exists, the following will be displayed: "User not found: test" A legit account 
will produce a "Password has been sent" or "Email address not Found" message. 



Vendor Response:
CAs recommendation was to disable the 'Forgot Password' feature. To isable this 
option in the Portal, add the following line to the 
[PORTAL_INSTALL]\properties\local.properties file.
 
show.passwords.in.api=false
 
You will need to restart the portal after manually editing the file.