000019226 - Are RSA ACE/Server and RSA ACE/Agent products affected by the msasn1.dll vulnerability detailed in MS04-007 security bulletin issued by Microsoft?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019226
Applies ToRSA ACE/Server 5.0 (no longer supported as of 8-15-2004)
RSA ACE/Server 5.1 (no longer supported as of 7-14-2006)
RSA ACE/Server 5.2
RSA ACE/Agent 5.5 for Windows
RSA ACE/Agent 5.0.1 for Windows
RSA ACE/Agent 5.2 for Web
IssueAre RSA ACE/Server and RSA ACE/Agent products affected by the msasn1.dll vulnerability detailed in MS04-007 security bulletin issued by Microsoft?
CauseAccording to the security update issued by Microsoft:
"If the ?WINNT\system32\msasn1.dll? DLL is present on a machine, the security update for MS04-007 is required and should be applied to the machine."
ResolutionRSA ACE/Server and RSA ACE/Agent authentication products do not load the ?msasn1.dll? DLL containing the security vulnerability. However, if the DLL is present on the machine running RSA ACE/Server and RSA ACE/Agent products, RSA Engineering strongly recommends installing the Microsoft security patch for MS004-007. Without the patch the security vulnerability exist on the machine.

Microsoft Security Bulletin MS04-007
ASN.1 Vulnerability Could Allow Code Execution (828028)
Issued: February 10, 2004
Version Number: 1.0
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-007.asp

Affected Software:

Microsoft Windows NT? Workstation 4.0 Service Pack 6a.
Microsoft Windows NT Server 4.0 Service Pack 6a.
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6.
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4.
Microsoft Windows XP, Microsoft Windows XP Service Pack 1.
Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1.
Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP 64-Bit Edition Version 2003 Service Pack 1.
Microsoft Windows Server 2003 Download.
Microsoft Windows Server 2003 64-Bit Edition.

Windows Update, Software Update Services, and the Microsoft Security Baseline Analyzer will correctly detect if the MS04-007 update is required.

Microsoft Security Baseline Analyzer is available from Microsoft at the following link:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsahome.asp

Analysis results from using Microsoft Security Baseline Analyzer:

ASN .1 Vulnerability Could Allow Code Execution (828028) File version is less than expected.
[C:\WINNT\system32\msasn1.dll, 5.0.2195.6666 < 5.0.2195.6823]
Legacy Article IDa20520

Attachments

    Outcomes