You are here

V-159: RSA SecurID Agent Discloses Node Secret Encryption Key to Local Users

May 20, 2013 - 12:09am

Addthis

PROBLEM:

RSA SecurID Agent Discloses Node Secret Encryption Key to Local Users

PLATFORM:

RSA Authentication API versions prior to 8.1 SP1
RSA Web Agent for Apache Web Server versions prior to 5.3.5
RSA Web Agent for IIS versions prior to 5.3.5
RSA PAM Agent versions prior to 7.0
RSA Agent for Microsoft Windows versions prior to 6.1.4

ABSTRACT:

A vulnerability was reported in RSA SecurID Products.

REFERENCE LINKS:

RSA
SecurityTracker Alert ID:  1028573
CVE-2013-0941

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The system stores the node secret symmetric encryption key using an outdated encryption algorithm and a weak key. A local user can obtain and decrypt the encrypted key. They key can then be used to monitor or modify communications between the RSA Authentication Manager and RSA Authentication Agents.

IMPACT:

A local user can obtain the node secret key

SOLUTION:

The vendor has issued fixes.

Addthis