[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?iso-8859-1?q?ESA-2017-146=3A_RSA=AE_Authentication_Agent_S?= =?iso-8859-1?q?DK_for_C_Error_Ha
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2017-11-27 17:04:36
Message-ID: 1BF8853173D9704A93EF882F85952A89372CEE () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-146: RSAŽ Authentication Agent SDK for C Error Handling Vulnerability
EMC Identifier: ESA-2017-146
CVE Identifier: CVE-2017-14378
Severity Rating: CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) (see note below)
Affected Products:
. RSAŽ Authentication Agent API 8.5 for C
. RSAŽ Authentication Agent SDK 8.6 for C
Summary:
A security vulnerability in RSA Authentication Agent API/SDK for C versions 8.5 and 8.6 could \
potentially lead to authentication bypass in certain limited implementations.
Details:
RSA Authentication Agent API/SDK 8.5/8.6 for C has an error handling flaw that could lead to \
authentication bypass in certain limited implementations. This issue will occur when the \
API/SDK is used in TCP asynchronous mode and return codes from the API/SDK are not handled \
properly by the application.
Implementations handling the API/SDK return codes appropriately (per coding guidelines \
documented in the RSA Authentication Agent API for C Developer's Guide) are not vulnerable. \
Refer to KB article 000035762 (https://community.rsa.com/docs/DOC-85061) for information on how \
to inspect your implementation and additional guidance on proper handling of API/SDK return \
codes.
For clarification purposes, this issue does not impact:
. RSA Authentication Agent API/SDK for Java
. RSA Authentication Agent API for C versions prior to v8.5
. RSA Authentication Manager SDK and RSA SecurIDŽ Mobile SDK.
Note: The CVSSv3 base score and vectors provided above are calculated based on maximum impact \
for vulnerable implementations. RSA recommends that all impacted customers take into account \
the base score (re-calculated for their own vulnerable implementation) and any temporal and/or \
environmental scores that may be relevant to their environment to assess their overall risk.
Recommendation:
The following releases contain resolution for this vulnerability:
. RSA Authentication Agent API 8.5.1 for C
. RSA Authentication Agent SDK 8.6.1 for C
RSA recommends all impacted customers upgrade at the earliest opportunity and/or ensure that \
their implementation of the API/SDK conforms to the coding guidelines documented in the RSA \
Authentication Agent API for C Developer's Guide. RSA Authentication Agent API/SDK downloads \
and documentation can be found at https://community.rsa.com/docs/DOC-40601#agents
Severity Rating:
For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating \
knowledge base article (https://community.rsa.com/docs/DOC-47147). RSA recommends all customers \
take into account both the base score and any relevant temporal and environmental scores which \
may impact the potential severity associated with particular security vulnerability.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please \
refer to the Product Version Life Cycle (https://community.rsa.com/docs/DOC-40387) for \
additional details.
RSA Link Security Advisories:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and \
its affiliates, including without limitation, its ultimate parent company, Dell Technologies, \
distribute RSA Security Advisories in order to bring to the attention of users of the affected \
RSA products, important security information. RSA recommends that all users determine the \
applicability of this information to their individual situations and take appropriate action. \
The information set forth herein is provided "as is" without warranty of any kind. RSA \
disclaims all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no event \
shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or special damages, even \
if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. \
Some jurisdictions do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaHEOVAAoJEHbcu+fsE81ZXVUH/3ivANEQ7rMIUA+cOTQcXl6P
nDyTMSMxe9rOiyc2VrfD5GhRgeXyQLcJMoBA0O21dYXpwIN4Tmcn9ze4THP9TeBq
nXRaSHYovW4b6ZhABl873WAeBf5Uqu4cFCoyey0r6wh6q3sOtnEKmengMx+pfVj8
gjus/Y/a/wBHC+LYKASb84LPuW7XOkvn7wnSMq1pXUEKeoapGnYhxa/kfPr+GDO0
+HNGbdIuNeJ20Uwne5R8FdecqZu0ThhkuHKCFdk7jVH0KYgW5zynQCepwjmVoWz4
qBXnhGC6r4dU4RIrHHx8b0wLF6r324kyf9BIONGzLdO24TLY3omQFnOE7ABwoac=
=Cr7Q
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic