[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
From: Kyle Quest <kyle.c.quest@xxxxxxxxxxx>
Date: Tue, 8 Jun 2010 16:06:02 -0400

The only problem is that the upgrade is not free, so you either pay up or stay 
vulnerable.

> Date: Sat, 5 Jun 2010 08:38:55 -0600
> From: security_alert@xxxxxxx
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
> 
> What is the issue?
> 
> This message is in response to the original message posted on June 3, 2010 
> addressing a SQL Injection vulnerability in the RSA Key Manager C Client 
> version 1.5.  The original message referenced CVE-2010-1904.
> 
> A vulnerability has been identified in the RSA Key Manager (RKM) C client 1.5 
> that may expose the product to a SQL Injection attack. An attacker having 
> access to encrypted data may be able to leverage this vulnerability in an 
> attempt to alter the RKM C Client 1.5 cache.
> 
> Affected Products:
> RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris, HP-UX, 
> etc).
> 
> Unaffected Products:
> RKM C Client 2.0.x, all platforms
> RKM C Client 2.1.x, all platforms
> RKM C Client 2.2.x, all platforms
> RKM C Client 2.5.x, all platforms
> RKM C Client 2.7, all platforms
> All versions of RKM Java Client
> RKM PKCS#11 Module for LT0-4
> RKM PKCS#11 Module for Oracle TDE
> RKM Server, all versions and platforms
> RKM Appliance, all versions
> Customer using EMC PowerPath with RSA encryption
> Customer using Brocade Encryption Switches with RSA encryption
> 
> What is the impact?
> An attacker can attempt to modify the cache to insert an arbitrary encryption 
> key that may lead to data unavailability (such as decryption failure of data 
> encrypted by that modified key). 
> 
> There is no impact on confidentiality of the data as the attacker would need 
> the cache encryption key in order to decrypt the data.
> 
> As of the date of this posting, RSA is not aware of any instances where this 
> vulnerability may have been compromised nor are there signs of published 
> exploit code.
> 
> Recommendations
> 
> RSA, The Security Division of EMC, recommends all customers upgrade to the 
> latest version of RKM C Client and RKM Server/Appliance.
> 
> 
> 
> EMC Product Security Response Center
> Email: security_alert@xxxxxxx 
                                          
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4

References:
- Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
  - From: security_alert

Prev by Date: [MajorSecurity SA-070]Plume CMS - change Admin Password via Cross-site Request Forgery
Next by Date: VUPEN Security Research - Microsoft Office Excel WOPT Heap Corruption Vulnerability (CVE-2010-0824)
Previous by thread: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
Next by thread: [ GLSA 201006-20 ] Asterisk: Multiple vulnerabilities
Index(es):
- Date
- Thread