Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Jay Guillette

RSA SecurID Access

3 Posts authored by: Jay Guillette Employee

Qualys Security scan of RSA Authentication Manager version 8.x servers will find several issues with the RADIUS Ports 1812 & 1813 TCP/UDP including following:

 - QID 11827 - RADIUS Port 1812 TCP/UDP HTTP Security Header Not Detected (HSTS)

 - QID 86763 - RADIUS Port 1812 - "WWW-Authenticate: Basic realm=" header field response using Readable Clear Text

 - QID 86476 - RADIUS Port 1813 - Unable to complete testing since the Web server stopped responding.

 - CWE-693: - Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html)

 

 

The fact that you get a response back from http://am-server-lab.net:1812 is of no value to a hacker because nothing else can be done, there is no method to even authenticate against this port.  The response on https is a 401, forbidden.

 

RSA Engineering Response: The flaw exists but is not exploitable (in a properly configured AM system environment). Port 1812/tcp is not accessed by users or administrators, nor do they have the credentials. It is used internally for RADIUS administration and replication between Authentication Manager servers.

 

You can demonstrate that this is not exploitable with a browser.  Test connections to the RSA Authentication Manager 8.x primary/replica(s) on both 1812 and 1813, with both http and https using a browser, in order to demonstrate no new risks. Newer browser versions or those with strict security settings might prevent these connections, so you may need to find an older version of a browser to run these tests, or possibly modify your browser security settings to allow these old connections.

    URL: http://:1812

    Result: Console Not Supported

console not supported

    URL: http://:1813

    Result:  ERR_EMPTY_RESPONSE

1813_TCP_ERR_EMPTY_RESPONSE

    URL: https://:1812

    Result: 401 forbidden

1812_TCP_https_401

    URL: https://:1813

    Result: Prompts for Sign In RADIUS credentials

1813_TCP_https_Sign_In

 

Optionally you can obtain RADIUS administrative account credentials from the encrypted Authentication Manager internal database using the rsautil command with Operations Console Credentials. To obtain the RADIUS username and password, follow the steps below:

 1. Launch an SSH client, such as PuTTY.

 2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

login as: rsaadmin

Using keyboard-interactive authentication.

Password:

Last login: Wed Jul 24 14:09:47 2019 from jumphost.vcloud.local

RSA Authentication Manager Installation Directory: /opt/rsa/am

rsaadmin@am82p:~> cd /opt/rsa/am/utils

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.username

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.username: Radius_user_nsuo8rll

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.radius.os.admin.password

Please enter OC Administrator username:

Please enter OC Administrator password:

    com.rsa.radius.os.admin.password: qnWD0fvC0ASuYxYxHqLNJIggOz5enZ

rsaadmin@am82p:/opt/rsa/am/utils>

Once you have the RADIUS_user name and com.rsa.radius.os.admin.password, paste them into the text boxes, as shown:

1813_TCP_https_Sign_In_Credentials

Then you can successfully authenticate to the RADIUS console and further demonstrate no new risks are evident. But even with these credentials, you gain access to a list of RADIUS commands, but cannot see anything 'new',

1813_TCP_https_CommandList

When trying to access any of the commands listed you will get a variation of one of the following messages; not permitted, no style sheet for already known information like the RSA Username, or output from the local PC to a .nada file.

not allowed

No style sheet

1813_TCP_https_CommandList

Output from the local PC to a .nada file

SBR_Launch_NADA

RADIUS TCP port 1813 - The communication to these ports is internal. The Authentication Manager servers will connect to these ports for administration, and other SBR servers will connect for replication. There is also a connection for the initial replication during quick-setup. There are no other system or users which should connect to these ports and they can be blocked by firewalls. Port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2013-2566 - The flaw exists but is not exploitable. To exploit this issue, tens of millions of packets must be captured (where all packets have the same plaintext, sensitive data in the same location). The traffic on these ports (for administration and replication) is relatively infrequent, often requiring admin intervention to start the connection and transfer. If there is more data, then more packets will be transferred with the manual operation, but the data in the packets will vary making the exploit impossible. The problem was identified with the RSA RADIUS server?s port 1813/TCP. This is an internal port for RSA RADIUS and is NOT the standard RADIUS port 1813/UDP which is used for RADIUS accounting. Also note that Juniper and RSA document that these internal ports (port 1813/TCP as well as port 1812/TCP) should never be exposed to a public facing network. CVE-2015-2808 - RC4 algorithm vulnerability, in RSA Authentication Manager 8.1 : Not Exploitable The flaw exists but is not exploitable. If a browser which requires the RC4 cipher is used for connection to the authentication manager consoles, then authentication manager is currently capable of negotiating the connection with RC4. However, the vulnerability cannot be exploited because it’s impact is greatest in the first bytes encrypted with RC4 and diminishes, with the vulnerability disappearing after 100 encrypted bytes, if not sooner. The data passed between browsers and the authentication manager does not include any sensitive data in the first 100 bytes of RC4 encrypted data. CVE-2016-2183 - Sweet32, “There is only a vulnerability if customers connect to this port. If they do not connect then an attacker cannot act as a man-in-the-middle to "poodle" the connection. Https://:1813 does not allow real access

 

This blog started as a knowledge base, KB article, but it was quickly decided by the KCS content review team that any put in this KB would be added to, and possibly changed.  It is our hope that all growth here will be useful.

 

While RSA does not have a Best Practices Guide for Authentication Manager, we do have planning, performance and configuration guides.  See    RSA Authentication Manager 8.4 Performance & Scalability Guides   See Also

RSA Authentication Manager Previous Versions page for versions earlier than 8.4.

 

Principles

  1. Probably the single best piece of advice I ever got in the technical business world is that "you tend to get more credit for a small success than a big failure."  So good principles are to watch scope creep, keep jobs manageable and then use manageable subprocesses as building blocks for larger processes or jobs.
  2. Try to stay up to date with versions and patches.  Not only are new features are included in newer versions, but bug and vulnerability fixes are always targeted for the latest releases.  Be aware that your support contract mandates staying current with versions, and that asking RSA apply new fixes to older versions results in exponentially more complex Quality Engineering test scenarios, especially in the area of upgrades or updates.  Applying a hot fix to an older version of AM means QE has to go back and test previous version updates.
  3. Authentication is the act of verifying the authenticity of someone or something; in other words, to make sure someone is who they claim to be.  Authentication is the foundation of all access control, and all access controls are only as sound as the authentication system under girding them.  Authentication Manager two factor authentication (2FA) is the integration of something you have (the tokencode) and something you know (the PIN) into the passcode.
  4. If your tokens do not require PINs (that is, PINless tokens), then you do not have 2FA configured. and have an inherently less secure authentication mechanism.
  5. If you mate PINless tokens with passwords, you have a multi-factor authentication (MFA), which may or may not be a strong as 2FA, depending on the degree of integration and the protection of token seeds.  What I'm saying is there is a debate, which we will not resolve here, and all I can say is this debate revolves around the concept that one eight-foot high fence is considered more secure than two four-foot high fences.  Your risk analysis needs to determine if your MFA is sufficient to mitigate your risk concerns in according to your business principles.


Technical Principles

  1. You cannot extend the size of the RSA Authentication Manager appliance disk drive on a virtual machine after it has been deployed.  To resolve this, you will need to deploy a new instance, probably a replica that you will promote.
  2. Authentication Manager is an authentication system first, and only secondarily a reporting system; therefore you need to understand several database concepts, such as managing log archival maintenance, which lets you understand how long authentication and administration data is maintained in the database for your authentication and administration reports.
  3. Log archival management is closely related to database management.  As authentication and administrative activity is logged into or added to the database, the database grows in size. As this information grows older there is a point where is should be archived out and purged from the database, so that the database does not grow infinitely.  However, most databases do not automatically compress the space allocated to this information as it is archived, so the database does not instantaneously shrink, instead the database marks this space as writeable so newer logged data can use this space, so that the rate of growth of the database is slowed.  If you want or need to compress the the Authentication Manager internal database, you need to run the postgres vacuumdb utility.  For information on how to run this utility, please contact customer support and open a case.  Cite article 000035033.
  4. If your Authentication Manager primary runs on VMware you may have deployed this server with the default disk size of 100GB.  If you also have thousands of users, there may be circumstances where due to logging and archiving your disk could be at risk for filling up.  Therefore, it is wise to configure a Critical System Event Notification in the Security Console (Setup > System Setup), and enable an email for Low disk space events.  Optionally modify the warning threshold from the default setting of 5GB to something larger to give you an earlier warning.  See 000036191 - How to modify the low disk space critical event email warning threshold from 5 GB to 10 GB free in RSA Authentication Manager 8.2.1 and higher for more information.

Recommended KBs


Server consoles


Agent and Authentication Knowledge


Linux and certificate knowledge


Authentication Manager Integration Service (AMIS) articles


Hardware appliance knowledge

Authentication Manager supports various SSL protocols such as TLS versions 1.1, 1.0, and 1.2, aka TLS1_0, TLS1_1 and TLS1_2 at specific versions of Authentication Manager, but also supports limiting or blocking some of these protocols, especially the older ones. RSA  also stopped support for ciphers that use RC4 algorithms in Authentication Manager 8.2.  

 

Customers are trying to figure out if they need to enforce strict TLS1_2 mode in order to gain support for TLSv1.2, in Authentication Manager, the Self-Service Console, on the Web Tiers, as well as with integrations with API tools like Authentication Manager Prime and Authentication Manager Integration Service (AMIS).  This would also affect SecurID software token distributions to Apple iOS devices since the new App Transport Security (ATS) feature was released in January 2017 that requires SSL connections, such as CT-KIP, to use only TLSv1.2 with SHA2 signed certificates.

 

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the internet. It is based in part on asymmetric keys and the Public Key Infrastructure (PKI) so that more efficient symmetric keys can securely be exchanged.

 

SSL negotiation

 

In general and as you would expect, older protocols, such as SSLv2 and SSLv3, are considered less secure or insecure, while newer protocols, such as TLSv1.2 are considered more secure.

 

There are two issues here:

  1. When or in what Authentication Manager version is a protocol supported or available
  2. When and how can older protocols be prevented

 

SSL supported versions

 

  • If you need support for TLS version 1.2 SSL protocol, then upgrade to at least Authentication Manager 8.1 SP1 P3
  • If you need to prevent SSL protocols that a less than TLSv1.2, you need to patch at least to Authentication Manager 8.1 SP1 P13 AND run the strict TLS1_2 enable script
  • If you need to prevent the use of RC4 ciphers, upgrade to at least Authentication Manager 8.2
  • When you have Apple iOS devices that use CT-KIP and App Transport Security has been implemented, you DO NOT need strict TLS.  You only need support for TLS (and SHA2 signed certificates).  See this blog post by Jeffrey Carpenter, RSA Product Marketing Manager, on ATTN: RSA SecurID Customers..Apple iOS ATS Issue and What to Do About It 

 

You enable strict TLS when your security scan flags insecure SSL protocols and your policy dictates they must be eliminated. Beware that there are implications when you do this.  For example, older Windows clients that do not support TLSv1.2 will not work, and this could affect RSA RADIUS in Authentication Manager 8.1 SP1.  If your scan flags insecure RC4 ciphers then plan your upgrade to Authentication Manager 8.2 to address that.


Some errors related to mismatch between SSL client and SSL server as to protocols or ciphers include the following;

ERR_SSL_PROTOCOL_ERROR
socket: Connection refused
connect:errno=111
This page can't be displayed
it is possible this site uses an unsupported protocol or cipher suite such as RC4

SSLv3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)

SSL errors

 

See also:

Filter Blog

By date: By tag: