You are here

V-195: RSA Authentication Manager Lets Local Users View the Administrative Account Password

July 9, 2013 - 12:51am

Addthis

PROBLEM:

RSA Authentication Manager Lets Local Users View the Administrative Account Password

PLATFORM:

RSA Authentication Manager 7.1, 8.0

ABSTRACT:

A vulnerability was reported in RSA Authentication Manager.

REFERENCE LINKS:

SecurityTracker Alert ID:  1028742
CVE-2013-3273
RSA

IMPACT ASSESSMENT:

Medium

DISCUSSION:

When the RSA Authentication Manager Software Development Kit (SDK) is used to develop a custom application that connects with RSA Authentication Manager and the trace logging is set to verbose, the administrative account password used by the custom application is written in clear text to trace log file.

IMPACT:

A local user can view the administrative account password

SOLUTION:

The vendor has issued a fix (Patch 26 (P26) for RSA Authentication Manager 7.1 Service Pack 4 (SP4) and Appliance 3.0 SP4; Patch 2 (P2) for RSA Authentication Manager 8.0).

Addthis