000032853 - Badlock Vulnerability (CVE-2016-2118 and CVE-2016-0128) in RSA Products

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Jul 28, 2016
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032853
Applies ToAll RSA Products
IssueOn April 12, 2016, a vulnerability known as “Badlock” bug was publicly disclosed in the Security Account Manager Remote Protocol [MS-SAMR] and the Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol. Any authenticated DCERPC connection a client initiates against a server can be used by a man in the middle to impersonate the authenticated user against the SAMR or LSAD service on the server. The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team.
This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) IDs:
  CVE-2016-2118 (Samba)
  CVE-2016-0128 (Windows)
The details for this vulnerability can be found using the link: http://badlock.org
 
ResolutionRSA is aware of and investigating this issue to identify the product impact. The level of impact may vary depending on the affected product. The following table contains the latest available impact information. This table will be updated as additional information becomes available.
 
RSA Product NameVersionsImpacted?DetailsLast Updated
3D Secure / Adaptive Authentication eCommerceAll SupportedInvestigating 4/12/2016
Access ManagerAll SupportedNot Impacted 4/22/2016
Adaptive Authentication HostedAll SupportedInvestigating 4/12/2016
Adaptive Authentication On-PremAll SupportedNot Impacted 4/19/2016
Archer HostedN/ANot impacted 4/12/2016
Archer PlatformAll SupportedNot Impacted 4/12/2016
Archer SecOpsAll SupportedNot ImpactedArcher SecOps solution integrates with Security Analytics; follow guidelines provided for Security Analytics.4/18/2016
Archer Vulnerability & Risk Manager (VRM)All SupportedNot ImpactedArcher VRM solution integrates with Security Analytics; follow guidelines provided for Security Analytics.4/18/2016
Authentication Manager Software PlatformAll SupportedNot Impacted 4/13/2016
Authentication Manager ApplianceAll SupportedNot Impacted 4/13/2016
BSAFE C Products: MES, Crypto-C ME, SSL-CAll SupportedNot Impacted 4/22/2016
BSAFE Java Products: Cert-J, Crypto-J, SSL-JAll SupportedNot Impacted 4/22/2016
Data Loss Prevention9.6Not Impacted 4/19/2016
Data Protection ManagerAll SupportedNot Impacted 4/22/2016
DCS: Certificate ManagerAll SupportedNot Impacted 4/12/2016
DCS: Validation ManagerAll SupportedNot Impacted 4/12/2016
ECATAll SupportedNot ImpactedProduct relies on underlying OS to provide support for affected protocols. Follow OS vendor guidelines to patch underlying host.4/18/2016
eFraudNetwork (eFN)All SupportedImpactedService utilizes Windows based servers. Servers will be patched during next regular cycle.4/25/2016
Federated Identity ManagerAll SupportedNot Impacted 4/25/2016
FraudAction (OTMS)All SupportedImpactedService utilizes Windows based servers. Servers will be patched during next regular cycle.4/25/2016
RSA CentralAll SupportedNot Impacted 4/25/2016
RSA Live InfrastructureAll SupportedNot Impacted 4/25/2016
SecurID Agent for PAMAll SupportedNot Impacted 4/13/2016
SecurID Agent for WebAll SupportedNot Impacted 4/13/2016
SecurID Agent for WindowsAll SupportedNot Impacted 4/13/2016
SecurID Authentication EngineAll SupportedNot Impacted 4/13/2016
SecurID Authentication SDKAll SupportedNot Impacted 4/13/2016
SecurID Software Token ConverterAll SupportedNot Impacted 4/13/2016
SecurID Software Token for AndroidAll SupportedNot Impacted 4/13/2016
SecurID Software Token for BlackberryAll SupportedNot Impacted 4/13/2016
SecurID Software Token for DesktopAll SupportedNot Impacted 4/13/2016
SecurID Software Token for iPhoneAll SupportedNot Impacted 4/13/2016
SecurID Software Token for Windows MobileAll SupportedNot Impacted 4/13/2016
SecurID Software Token ToolbarAll SupportedNot Impacted 4/13/2016
SecurID Software Token Web SDKAll SupportedNot Impacted 4/13/2016
SecurID Transaction Signing SDKAll SupportedNot Impacted 4/13/2016
Security Analytics
   (Physical and Virtual Appliances)
All SupportedImpactedOnly Malware Analysis (MA) component of Security Analytics is impacted.  A workaround is to toggle off SAMBA and use FTP or NONE for File Sharing Protocol (see MA Config Guide).
   This issue is fixed in SA 10.6.0.2 (see ESA-2016-058), and will be fixed in SA 10.5.2.1 / 10.4.1.6 / 10.3 hotfix (target date not available).
6/2/2016
Via Access IDR VMAll SupportedNot Impacted 4/13/2016
Via Access Cloud ServiceAll SupportedNot Impacted 4/13/2016
Via Lifecycle and Governance Software (Identity Management & Governance Software)All SupportedNot ImpactedSamba/CIFS is not used by Via L&G. Follow OS vendor guidelines to patch underlying host.4/18/2016
Via Lifecycle and Governance Appliance (Identity Management & Governance Appliance)All SupportedNot ImpactedSamba/CIFS is not used by Via L&G. The underlying O/S is affected; a fix is provided in Appliance Updater Q2-2016 Release.7/28/2016
Via Lifecycle and Governance SaaSAll SupportedNot ImpactedSamba/CIFS is not used by Via L&G. The underlying O/S is affected; a patch will be applied in the next maintenance window (ETA not available).4/18/2016
Web Threat DetectionAll SupportedNot Impacted 4/22/2016
Notes
Disclaimer
  
   Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes