000029115 - How to prevent Wget FTP Symlink Attack Vulnerability (CVE-2014-4877) in Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029115
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: Other
Platform (Other): na
O/S Version: Other
Product Name: null
Product Description: null
IssueA vulnerability scan run on Authentication Manager 8.1 reports the system as vulnerable to CVE-2014-4877, the Wget FTP Symlink Attack (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877).
 
ResolutionTechnically, we can have a mitigation as mentioned in this link, by changing the configuration in /etc/wgetrc.  According to the article, you can mitigate the issue by adding the line retr-symlinks=on to either /etc/wgetrc or ~/.wgetrc.
To make the change, follow the steps below:
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Tue Jun  9 11:41:08 2015 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> sudo su -
rsaadmin's password: <enter OS password>
am81p:~ # find / -name wgetrc -print
/etc/wgetrc
am81p:~ # vi /etc/wgetrc


Alternatively, instead of vi /etc/wgetrc, you can use the command sudo vi /etc/wgetrc.
Once in vi, press Esc to enter Insert mode. Enter the following text:
## To prevent CVE-2014-4877
retr-symlinks=on

When done, key in :wq! to save the changes or :q! to exit without saving.
NotesResponse from RSA Engineering as to why Authentication Manager 8.1 would not be affected by this vulnerability (unless you logged in as root and started a Wget session to a malicious FTP site):  
 

Authentication Manager does not use Wget internally for FTP. The attack can occur only if the customer logs in as rsaadmin and manually runs Wget to retrieve/download data from an attacker-controlled remote FTP server.  We strongly recommend that customers do not download data onto the Authentication Manager server from external sources. See page 42 of the RSA Authentication Manager 8.1 Security Configuration Guide.  
If the customers do not run Wget specifically, they do not need to change anything.

Attachments

    Outcomes