'=?iso-8859-1?Q?ESA-2014-081_RSA=AE_Identity_Management_and_Governance_Aut?= =?iso-8859-1?Q?henticati'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    =?iso-8859-1?Q?ESA-2014-081_RSA=AE_Identity_Management_and_Governance_Aut?= =?iso-8859-1?Q?henticati
From:       Security Alert <Security_Alert () emc ! com>
Date:       2014-08-26 16:31:16
Message-ID: 37F0BE0896DB1544B5BEFBE34F79D0534F9DAC9B () MX103CL01 ! corp ! emc ! com
[Download RAW message or body]

["ESA-2014-081.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-081 RSA® Identity Management and Governance Authentication Bypass \
Vulnerability

EMC Identifier:  ESA-2014-081

CVE Identifier:  CVE-2014-4619

Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected products:
RSA IMG versions 6.5.x and 6.8.x

Summary:
RSA Identity Management and Governance announces security fixes to address potential \
authentication bypass vulnerability when NovelIM systems are used for authentication.

Details: 
RSA IMG systems configured with NovellIM as the authentication source may be subject \
to a potential authentication bypass vulnerability due to the fact that no password \
is required to authenticate legitimate users. A malicious user with knowledge of a \
valid user name can leverage this vulnerability to perform operations with the \
privileges of the authenticated user and potentially cause audit-attribution \
problems. 

This issue does not affect the built-in RSA Aveska Administrator account or users \
authenticated via other authentication schemes.

Resolution: 
The following versions of RSA IMG contain resolutions to these issues:
RSA IMG 6.5.1 P11 and later
RSA IMG 6.5.2  P02HF01 and later
RSA IMG 6.8.1 P07 and later

RSA strongly recommends all customers using NovellIM-based authentication to upgrade \
to one of versions listed above at the earliest opportunity.


Accessing IMG Software and Documentation:

On an interim basis as we transition to the use of SCOL, the IMG software and \
documentation are available on the RSA SFTP site:  http://sftp.rsa.com/



Obtaining Documentation:
To obtain RSA documentation, log on to RSA SecurCare Online at \
https://knowledge.rsasecurity.com and click Products in the top navigation menu. \
Select the specific product whose documentation you want to obtain. Scroll to the \
section for the product version that you want and click the set link.

Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, \
“Security Advisories Severity Rating” at \
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA \
recommends all customers take into account both the base score and any relevant \
temporal and environmental scores which may impact the potential severity associated \
with particular security vulnerability.

Obtaining More Information:
For more information about RSA products, visit the RSA web site at \
http://www.rsa.com.

Getting Support and Service:
For customers with current maintenance contracts, contact your local RSA Customer \
Support center with any additional questions regarding this RSA SecurCare Note. For \
contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at \
https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact \
Us - Phone tab or the Contact Us - Email tab.

General Customer Support Information:
http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online:
https://knowledge.rsasecurity.com

EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. \
Please refer to the link below for additional details.  \
http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories
RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to \
bring to the attention of users of the affected RSA products important security \
information. RSA recommends that all users determine the applicability of this \
information to their individual situations and take appropriate action. The \
information set forth herein is provided "as is" without warranty of any kind. RSA \
disclaim all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no \
event shall RSA or its suppliers be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or special \
damages, even if RSA or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for \
consequential or incidental damages so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends \
you based on the RSA product family you currently use. If you’d like to stop \
receiving RSA SecurCare Notes & Security Advisories, or if you’d like to change which \
RSA product family Notes & Security Advisories you currently receive, log on to RSA \
SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. \
Following the instructions on the page, remove the check mark next to the RSA product \
family whose Notes & Security Advisories you no longer want to receive. Click the \
Submit button to save your selection.

Sincerely,
RSA Customer Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlP8tcwACgkQtjd2rKp+ALwlGQCeI5cH8HBFVJv9BUYsV5Ytl4XG
tOcAoLj0fPFUPV7y6sGnu0YyldGTh9hq
=6FY9
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic