RSA SecurID Agent Discloses Node Secret Encryption Key to Local Users
RSA Authentication API versions prior to 8.1 SP1
RSA Web Agent for Apache Web Server versions prior to 5.3.5
RSA Web Agent for IIS versions prior to 5.3.5
RSA PAM Agent versions prior to 7.0
RSA Agent for Microsoft Windows versions prior to 6.1.4
A vulnerability was reported in RSA SecurID Products.
The system stores the node secret symmetric encryption key using an outdated encryption algorithm and a weak key. A local user can obtain and decrypt the encrypted key. They key can then be used to monitor or modify communications between the RSA Authentication Manager and RSA Authentication Agents.
A local user can obtain the node secret key