|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform (Other): na
O/S Version: Other
Product Name: null
Product Description: null
|Issue||A vulnerability scan run on Authentication Manager 8.1 reports the system as vulnerable to CVE-2014-4877, the Wget FTP Symlink Attack (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877).|
|Resolution||Technically, we can have a mitigation as mentioned in this link, by changing the configuration in /etc/wgetrc. According to the article, you can mitigate the issue by adding the line retr-symlinks=on to either /etc/wgetrc or ~/.wgetrc.|
To make the change, follow the steps below:
login as: rsaadmin
Alternatively, instead of vi /etc/wgetrc, you can use the command sudo vi /etc/wgetrc.
Once in vi, press Esc to enter Insert mode. Enter the following text:
## To prevent CVE-2014-4877
When done, key in :wq! to save the changes or :q! to exit without saving.
|Notes||Response from RSA Engineering as to why Authentication Manager 8.1 would not be affected by this vulnerability (unless you logged in as root and started a Wget session to a malicious FTP site): |
Authentication Manager does not use Wget internally for FTP. The attack can occur only if the customer logs in as rsaadmin and manually runs Wget to retrieve/download data from an attacker-controlled remote FTP server. We strongly recommend that customers do not download data onto the Authentication Manager server from external sources. See page 42 of the RSA Authentication Manager 8.1 Security Configuration Guide.
If the customers do not run Wget specifically, they do not need to change anything.