[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-145: RSA® Authentication Agent for Web for Apache Web Server Authentication Bypass Vulnerability

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-145: RSA® Authentication Agent for Web for Apache Web Server Authentication Bypass Vulnerability
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Mon, 27 Nov 2017 17:04:32 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-145: RSA® Authentication Agent for Web for Apache Web Server 
Authentication Bypass Vulnerability

EMC Identifier:  ESA-2017-145

CVE Identifier:  CVE-2017-14377
 
Severity Rating: CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
 
Affected Products:
        .       RSA® Authentication Agent for Web: Apache Web Server version 8.0
        .       RSA® Authentication Agent for Web: Apache Web Server version 
8.0.1 prior to Build 618
 
Summary:
A security vulnerability in RSA Authentication Agent for Web for Apache Web 
Server could potentially lead to authentication bypass.
 
Details:
Due to an improper input validation flaw in RSA Authentication Agent for Web 
for Apache Web Server, a remote malicious user can potentially bypass user 
authentication and gain unauthorized access to resources protected by the 
agent. The privilege level of an unauthorized user who gains access depends on 
the authorization policy set by the underlying application that is using the 
agent.
 
This vulnerability is only present when the RSA Authentication Agent for Web 
for Apache Web Server is configured to use the TCP protocol to communicate with 
the RSA Authentication Manager server. UDP implementation, which is the default 
configuration, is not vulnerable.  Please refer to the RSA Authentication Agent 
8.x for Web for Apache Web Server Installation and Configuration Guide for 
configuration details.  
 
Recommendation:
 
The following release contains resolution for this vulnerability:
        .       RSA Authentication Agent for Web: Apache Web Server version 
8.0.1 Build 618
 
RSA recommends all customers upgrade at the earliest opportunity. RSA 
Authentication Agent for Web for Apache Web Server downloads and documentation 
can be found 
at: https://community.rsa.com/community/products/securid/authentication-agent-web-apache.

Severity Rating:
For an explanation of Severity Ratings, refer to the Security Advisories 
Severity Rating  knowledge base article 
(https://community.rsa.com/docs/DOC-47147). RSA recommends all customers take 
into account both the base score and any relevant temporal and environmental 
scores which may impact the potential severity associated with particular 
security vulnerability.
 
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major 
versions. Please refer to the Product Version Life Cycle 
(https://community.rsa.com/docs/DOC-40387) for additional details.
 
RSA Link Security Advisories:
Read and use the information in this RSA Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact RSA Software 
Technical Support at 1-800-995-5095. RSA Security LLC and its affiliates, 
including without limitation, its ultimate parent company, Dell Technologies, 
distribute RSA Security Advisories in order to bring to the attention of users 
of the affected RSA products, important security information. RSA recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. The information set forth 
herein is provided "as is" without warranty of any kind. RSA disclaims all 
warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event shall RSA, its affiliates or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if RSA, its affiliates or its 
suppliers have been advised of the possibility of such damages. Some 
jurisdictions do not allow the exclusion or limitation of liability for 
consequential or incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaHEOjAAoJEHbcu+fsE81Zp/AH/RW01zyploKpGykRRz2U/Mg8
e8OIeBPr9NQf0SNh9dzAKHHJU2DbGXRog6vKFDAKibYzAVxM3RY3+EpCIvRlH/aZ
1NsSO4NaZMLVEu8IolpeKRxM04k5H5QC15x/N8ZqMKtVK8t/X0hJ2REx9ZdWDZMh
8IbrAkbLjWa4C1dpnqvgxEaeJbL/I6SQd/XLqszcrmejTp278Xr+8WMMGEs+OuJJ
A1TvomRbv1PfCSEH9ukn85fnDsEJev2PXVCtmAJRj9FTEmq8IGRBOTf3hxfrHytb
1iQGpxcFtntjqEukFxpERkvZoJRZ1S251/Utea0DPzSHRLdi8eDB3pZBHOjmGXY=
=rxOj
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SSD Advisory – ZTE ZXDSL Configuration Reset
Next by Date: [FD] ESA-2017-146: RSA® Authentication Agent SDK for C Error Handling Vulnerability
Previous by thread: [FD] SSD Advisory – ZTE ZXDSL Configuration Reset
Next by thread: [FD] ESA-2017-146: RSA® Authentication Agent SDK for C Error Handling Vulnerability
Index(es):
- Date
- Thread