000035002 - RSA Authentication Manager 8.2 False Positive Security Vulnerabilities

Document created by RSA Customer Support Employee on Apr 5, 2017Last modified by RSA Customer Support on Apr 9, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000035002
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
CVE IDSee CVE IDs in the table below.
Article SummaryThis article provides a list of security vulnerabilities that cannot be exploited on RSA Authentication Manager 8.2, but which may be flagged by security scanners.
Link to AdvisoriesEach CVE ID listed can be searched using the following link: https://web.nvd.nist.gov/view/vuln/search. Once there, you can search for each CVE ID referenced in this article for more details.
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details ExplanationFalse Positive
ResolutionThe vulnerabilities listed in the table below are in order by the date on which RSA Authentication Manager Engineering determined that the Authentication Manager 8.2 was not vulnerable.
 

  
Embedded ComponentCVE IDSummary of VulnerabilityReason why Product is not VulnerableDate Determined False Positive
OpenSSL
     

CVE-2017-3733


     

     

During a renegotiation handshake if the Encrypt-Then-Mac extension is
      negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected.


     

     

This issue only impacts the 1.1+ versions of OpenSSL. For SSL/TLS connections using OpenSSL, RSA Authentication Manager 8.2 uses a version 1.0.2+ of OpenSSL which is not impacted by this issue.


     
21 March, 2017
NTPCVE-2017-6464
     

A vulnerability found in the NTP server makes it possible for an authenticated remote user to crash ntpd via a malformed mode configuration directive.


     

     

The flaw does not exist. The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration.


     
March 30, 2017
NTPCVE-2017-6462
     

There is a potential for a buffer overflow in the legacy Datum Programmable Time Server refclock driver. Here the packets are processed from the /dev/datum device and handled in datum_pts_receive(). Since an attacker would be required to somehow control a malicious /dev/datum device, this does not appear to be a practical attack and renders this issue “Low” in terms of severity.


     

     

The flaw does not existSupport for this device is not included in the RSA Authentication Manager 8.2 appliance NTP service.


     
March 30, 2017
NTPCVE-2017-6463
     

A vulnerability found in the NTP server allows an authenticated remote attacker to crash the daemon by sending an invalid setting via the :config directive. The unpeer option expects a number or an address as an argument. In case the value is “0”, a segmentation fault occurs.


     

     

The flaw does not exist



     

The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration (as is required for the exploit in the unpeer option).


     
March 30, 2017
NTPCVE-2017-6455
     

The Windows NT port has the added capability to preload DLLs defined in the inherited global local environment variable PPSAPI_DLLS. The code contained within those libraries is then called from the NTPD service, usually running with elevated privileges. Depending on how securely the machine is setup and configured, if ntpd is configured to use the PPSAPI under Windows this can easily lead to a code injection.


     

     

The flaw does not exist.This issue is in the Windows NT port of NTP.


     
March 30, 2017
 NTPCVE-2017-6452
     

The Windows installer for NTP calls strcat(), blindly appending the string passed to the stack buffer in the addSourceToRegistry() function. The stack buffer is 70 bytes smaller than the buffer in the calling main() function. Together with the initially copied Registry path, the combination causes a stack buffer overflow and effectively overwrites the stack frame. The passed application path is actually limited to 256 bytes by the operating system, but this is not sufficient to assure that the affected stack buffer is consistently protected against overflowing at all times.


     

     

The flaw does not exist



     

This issues is in the Windows installer for NTP (which is not used).


     
March 30, 2017
NTPCVE-2017-6459
     

The Windows installer for NTP calls strcpy() with an argument that specifically contains multiple null bytes. strcpy() only copies a single terminating null character into the target buffer instead of copying the required double null bytes in the addKeysToRegistry() function. As a consequence, a garbage registry entry can be created. The additional arsize parameter is erroneously set to contain two null bytes and the following call to RegSetValueEx() claims to be passing in a multi-string value, though this may not be true.


     

     

The flaw does not exist



     

This issues is in the Windows installer for NTP (which is not used).


     
March 30, 2017
NTPCVE-2017-6458
     

ntpd makes use of different wrappers around ctl_putdata() to create name/value ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in ntpd (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.


     

     

The flaw does not exist



     

The issue is a time server associated with NTP server responses to clients. The NTP service on the AM appliance is a client of a time service and is not impacted by this issue.


     
March 30, 2017
NTPCVE-2017-6451
     

The legacy MX4200 refclock is only built if is specifically enabled, and furthermore additional code changes are required to compile and use it. But it uses the libc function snprintf()/vsnprintf() incorrectly, which can lead to an out-of-bounds memory write due to an improper handling of the return value of snprintf()/vsnprintf(). Since the return value is used as an iterator and it can be larger than the buffer’s size, it is possible for the iterator to point somewhere outside of the allocated buffer space. This results in an out-of-bound memory write. This behavior can be leveraged to overwrite a saved instruction pointer on the stack and gain control over the execution flow. During testing it was not possible to identify any malicious usage for this vulnerability. Specifically, no way for an attacker to exploit this vulnerability was ultimately unveiled. However, it has the potential to be exploited, so the code should be fixed.


     

     

The flaw does not exist



     

Support for this device is not included in the RSA Authentication Manager 8.2 appliance NTP service.


     
March 30, 2017
NTPCVE-2017-6460
     

A stack buffer overflow in ntpq can be triggered by a malicious ntpd server when ntpq requests the restriction list from the server. This is due to a missing length check in the reslist() function. It occurs whenever the function parses the server’s response and encounters a flagstr variable of an excessive length. The string will be copied into a fixed-size buffer, leading to an overflow on the function’s stack-frame. Note well that this problem requires a malicious server, and affects ntpq, not ntpd.


     

     

The flaw does not exist



     

The problem affects ntpq which is not used in the RSA Authentication Manager 8.2 appliance.


     
March 30, 2017
NTPCVE-2016-9042
     

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.


     

     

The flaw does not exist



     

The problem affects ntp peer time servers and not the RSA Authentication Manager 8.2 appliance which is a client of a time server only.


     
March 30, 2017
Linux kernelCVE-2016-7916
     

Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.


     
The flaw exists but does not add an additional risk
     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2015-8964
     

The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.


     

     

The flaw exists but does not add an additional risk



     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2013-6368
     

The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.


     

     

The flaw exists but does not add an additional risk



     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2017-5551
     

The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.


     
The flaw exists but does not add an additional risk
     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2016-9555
     

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.



     

 


     

     

The flaw exists but cannot be exploited.



     

The RSA Authentication Manager appliance does not use SCTP.


     
4/12/2017
Linux kernelCVE-2016-5696
     

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.


     
The flaw exists (but is already fixed in AM 8.2 patch 4) and is not exploitable in AM 8.2.0.4 and later versions4/12/2017
Samba ServerCVE-2017-7494
     

All versions of Samba from 3.5.0 onward are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.



     

 


     

     

The flaw does not exist



     

The RSA Authentication Manager does not include a samba server (smbd).


     
6/6/2017
libgcrypt11 OS componentCVE-2017-7526This side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used. Allowing execute access to a box with private keys should be considered as an unsafe security practice, anyway. Thus in practice there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines this attack may be used by one VM to steal private keys from another VM.The flaw exists but cannot be exploited
     
      The RSA Authentication Manager does not use GnuPG or its library libgcrypt11. This library may be used by components of the OS but only for validation of signatures and not for creating signatures. Validation of signatures does not use private keys and there are no private GnuPG keys on the system (only public keys).
     
      The vulnerability requires that the attacker be able to monitor the system resources in a side-channel attack
       
7/17/2017
OpenSSH CVE-2015-6563
       
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.The flaw exists in AM 8.2 but does not add an additional security risk.
      The RSA Authentication Manager appliance has no unprivileged local users. The only user which can login has access to full root privileges.
1/11/2018
OpenSSHCVE-2016-8858The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests.The flaw exists in AM 8.2 but does not add an additional security risk.
      The impact of the issue is to prevent the user performing the attack from logging on. A denial-of-service attack against themselves.
1/11/2018
       
OpenSSHCVE-2016-10010sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.The flaw exists in AM 8.2 SP1 but does not add an additional security risk.
      The RSA Authentication Manager appliance has no unprivileged local users. The only user which can login has access to full root privileges.
1/11/2018
       
OpenSSH CVE-2016-10011authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.The flaw exists in AM 8.2 SP1 but does not add an additional security risk.
      The RSA Authentication Manager appliance has no unprivileged local users. The only user which can login has access to full root privileges.
1/11/2018
       
Linux kernelCVE-2016-10088The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.The flaw exists but does not additional risk.The RSA Authentication Manager appliance is a secure system with a single appliance administrator capable of logging in. It is not a multi-purpose/multi-user system with non-privileged local users. The appliance administrator is already capable of obtaining root privileges.14-Apr-2017
libxml2CVE-2016-9318libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.The flaw exists but cannot be exploited. Products which use this broken feature are not included in the RSA Authentication Manager appliance for handling any XML input from the AM consoles.14-Apr-17
ntpCVE-2016-9310The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.The flaw does not exist. The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration.14-Apr-17
ntpCVE-2015-7871Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations (lines 1103-1165) was refactored.The flaw does not exist.The RSA Authentication Manager appliance v8.2.0.4 already includes this fix14-Apr-17
libvmtools0CVE-2015-5191No description at NVDThe flaw exists but does not additional risk. The RSA Authentication Manager appliance is a secure system with a single appliance administrator capable of logging in. It is not a multi-purpose/multi-user system with non-privileged local users. The appliance administrator is already capable of obtaining root privileges.14-Apr-17
OpenSSLCVE-2016-7056The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys.The flaw exists but does not additional risk.The RSA Authentication Manager appliance is a secure system with a single appliance administrator capable of logging in. It is not a multi-purpose/multi-user system with non-privileged local users. The appliance administrator is already capable of obtaining root privileges.14-Apr-17
OpenSSLCVE-2016-8610A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.The flaw exists but cannot be exploited (in the default configuration). OpenSSL is not used for SSL/TLS communication except in a special situation where the administrator has explicitly created database-read-only users and identified the source IP for the database read-only connection. The specified IP would need to be an IP controlled by the attacker. Any exploit would be further mitigated by the fact that the database connection is handled in separate threads (refer to https://access.redhat.com/security/cve/CVE-2016-8610).14-Apr-17
ntpCVE-2016-7426NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.The flaw exists but cannot be exploited. The RSA Authentication Manager appliance is not configured to use this rate limiting feature.14-Apr-17
expatCVE-2016-5300The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.The flaw exists but cannot be exploited. AM does not use the system Expat library for processing any input XML documents.14-Apr-17
sshCVE-2016-8858No description at NVDThe flaw exists but cannot be exploited (in the default configuration). The issue could be exploited by a user with access to SSH if the SSH capability of the AM appliance is enabled. The SSH console feature is not enabled by default and in included with AM for customers who are willing to accept its risks. RSA suggests that SSH access always be protected in a network limited to trusted administrators, and that the feature be disable when not being used.14-Apr-17
OpenSSH2017-15906The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.The flaw exists but cannot be exploited.
      The SSH server on the AM appliance does not use this feature (readonly mode).
16-Feb-18

  
 
NotesFor CVE-2017-7494, Same response goes for RSA Authentication Manager 8.0 and 8.1
For CVE-2015-6563,  CVE-2016-8858 Same applies to  RSA Authentication Manager 8.1 SP1
For CVE 2017-15906, it is applicable for AM8.2 SP1

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes