000021686 - A locked-out user presenting valid password is redirected to invalid password page in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021686
Applies ToRSA ClearTrust 5.5.2 Authorization Server (AServer)
RSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
IssueA locked-out user presenting valid password is redirected to invalid password page in RSA ClearTrust

RSA ClearTrust Agent redirects a locked-out user presenting a valid or an invalid password to the locked-out page (i.e. the page configured for cleartrust.agent.login_auth_user_locked_out in webagent.conf). This behavior of the Agent reveals information on existence of a valid userid (and its locked-out status) to potential unauthorized user.

Resolution

The order of verifying password and checking locked-out status has changed in RSA ClearTrust 5.5.3. With ClearTrust 5.5.3, the Agent would redirect a locked-out user to the locked-out page (cleartrust.agent.login_auth_user_locked_out) - only if the user enters a valid password. If an invalid password is presented for the locked-out userid, the user would be redirected to the invalid password page (cleartrust.agent.login_error_pw_location_basic).

To get RSA ClearTrust 5.5.3, visit RSA SecurCare Online's ClearTrust downloads area or contact RSA Customer Support.

NOTE: RSA Security recommends using a generic error page to disguise the actual reason for authentication failure from users who may be trying to break into the Web server. That is, use the same error page for both locked-out status and invalid password.

Workaround
RSA ClearTrust Agent is dependent on status returned by the ClearTrust Authorization server. ClearTrust Authorization server returns locked-out status (ADMIN_LOCKOUT) to Agent without verifying the password (locked-out status is checked before the password is verified). This results in the Agent redirecting a locked-out user to the locked-out page without verifying the password.
Legacy Article IDa24312

Attachments

    Outcomes