000035002 - RSA Authentication Manager 8.2 False Positive Security Vulnerabilities

Document created by RSA Customer Support Employee on Apr 5, 2017Last modified by RSA Customer Support Employee on Jun 16, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035002
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
CVE IDCVE-2017-3733
Article SummaryThis article provides a list of security vulnerabilities that cannot be exploited on RSA Authentication Manager 8.2, but which may be flagged by security scanners.
Link to AdvisoriesEach CVE ID listed can be searched using the following link: https://web.nvd.nist.gov/view/vuln/search. Once there, you can search for each CVE ID referenced in this article for more details.
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details ExplanationFalse Positive
ResolutionThe vulnerabilities listed in the table below are in order by the date on which RSA Authentication Manager Engineering determined that the Authentication Manager 8.2 was not vulnerable.
 

  
Embedded ComponentCVE IDSummary of VulnerabilityReason why Product is not VulnerableDate Determined False Positive
OpenSSL
     

CVE-2017-3733


     

     

During a renegotiation handshake if the Encrypt-Then-Mac extension is
      negotiated where it was not in the original handshake (or vice-versa) then this
      can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
      are affected.


     

     

This issue only impacts the 1.1+ versions of OpenSSL. For SSL/TLS connections using OpenSSL, RSA Authentication Manager 8.2 uses a version 1.0.2+ of OpenSSL which is not impacted by this issue.


     
21 March, 2017
NTPCVE-2017-6464
     

CVE-2017-6464 - NTP-01-016 NTP: Denial of Service via Malformed Config


     

Summary: A vulnerability found in the NTP server makes it possible for an authenticated remote user to crash ntpd via a malformed mode configuration directive.


     

CVSS v3 Base Score: 6.5 Medium


     

     

Response: The flaw does not exist


     

The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration.


     
March 30, 2017
NTPCVE-2017-6462
     

CVE-2017-6462 - NTP-01-014 NTP: Buffer Overflow in DPTS Clock


     

Summary: There is a potential for a buffer overflow in the legacy Datum Programmable Time Server refclock driver. Here the packets are processed from the /dev/datum device and handled in datum_pts_receive(). Since an attacker would be required to somehow control a malicious /dev/datum device, this does not appear to be a practical attack and renders this issue “Low” in terms of severity.


     

     

Response: The flaw does not exist


     

Support for this device is not included in the RSA Authentication Manager 8.2 appliance NTP service.


     
March 30, 2017
NTPCVE-2017-6463
     

CVE-2017-6463 - NTP-01-012 NTP: Authenticated DoS via Malicious Config Option


     

Summary: A vulnerability found in the NTP server allows an authenticated remote attacker to crash the daemon by sending an invalid setting via the :config directive. The unpeer option expects a number or an address as an argument. In case the value is “0”, a segmentation fault occurs.


     

CVSS v3 Base Score: 6.5 Medium


     

     

Response: The flaw does not exist


     

The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration (as is required for the exploit in the unpeer option).


     
March 30, 2017
NTPCVE-2017-6455
     

CVE-2017-6455 - NTP-01-009 NTP: Windows: Privileged execution of User Library code


     

Summary: The Windows NT port has the added capability to preload DLLs defined in the inherited global local environment variable PPSAPI_DLLS. The code contained within those libraries is then called from the NTPD service, usually running with elevated privileges. Depending on how securely the machine is setup and configured, if ntpd is configured to use the PPSAPI under Windows this can easily lead to a code injection.


     

CVSS v3 Base Score: 7.0 High


     

     

Response: The flaw does not exist


     

This issues is in the Windows NT port of NTP.


     
March 30, 2017
 NTPCVE-2017-6452
     

CVE-2017-6452 - NTP-01-008 NTP: Windows Installer: Stack Buffer Overflow from Command Line


     

Summary: The Windows installer for NTP calls strcat(), blindly appending the string passed to the stack buffer in the addSourceToRegistry() function. The stack buffer is 70 bytes smaller than the buffer in the calling main() function. Together with the initially copied Registry path, the combination causes a stack buffer overflow and effectively overwrites the stack frame. The passed application path is actually limited to 256 bytes by the operating system, but this is not sufficient to assure that the affected stack buffer is consistently protected against overflowing at all times.


     

CVSS v3 Base Score: 7.8 High


     

     

Response: The flaw does not exist


     

This issues is in the Windows installer for NTP (which is not used).


     
March 30, 2017
NTPCVE-2017-6459
     

CVE-2017-6459 - NTP-01-007 NTP: Windows Installer: Data Structure terminated insufficiently


     

Summary: The Windows installer for NTP calls strcpy() with an argument that specifically contains multiple null bytes. strcpy() only copies a single terminating null character into the target buffer instead of copying the required double null bytes in the addKeysToRegistry() function. As a consequence, a garbage registry entry can be created. The additional arsize parameter is erroneously set to contain two null bytes and the following call to RegSetValueEx() claims to be passing in a multi-string value, though this may not be true.


     

CVSS v3 Base Score: 5.5 Medium


     

     

Response: The flaw does not exist


     

This issues is in the Windows installer for NTP (which is not used).


     
March 30, 2017
NTPCVE-2017-6458
     

CVE-2017-6458 - NTP-01-004 NTP: Potential Overflows in ctl_put() functions


     

Summary: ntpd makes use of different wrappers around ctl_putdata() to create name/value ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in ntpd (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.


     

CVSS v3 Base Score: 8.8 High


     

     

Response: The flaw does not exist


     

The issue is a time server associated with NTP server responses to clients. The NTP service on the AM appliance is a client of a time service and is not impacted by this issue.


     
March 30, 2017
NTPCVE-2017-6451
     

CVE-2017-6451 - NTP-01-003 Improper use of snprintf() in mx4200_send()


     

Summary: The legacy MX4200 refclock is only built if is specifically enabled, and furthermore additional code changes are required to compile and use it. But it uses the libc function snprintf()/vsnprintf() incorrectly, which can lead to an out-of-bounds memory write due to an improper handling of the return value of snprintf()/vsnprintf(). Since the return value is used as an iterator and it can be larger than the buffer’s size, it is possible for the iterator to point somewhere outside of the allocated buffer space. This results in an out-of-bound memory write. This behavior can be leveraged to overwrite a saved instruction pointer on the stack and gain control over the execution flow. During testing it was not possible to identify any malicious usage for this vulnerability. Specifically, no way for an attacker to exploit this vulnerability was ultimately unveiled. However, it has the potential to be exploited, so the code should be fixed.


     

CVSS v3 Base Score: 7.8 High


     

     

Response: The flaw does not exist


     

Support for this device is not included in the RSA Authentication Manager 8.2 appliance NTP service.


     
March 30, 2017
NTPCVE-2017-6460
     

CVE-2017-6460 - NTP-01-002 Buffer Overflow in ntpq when fetching reslist


     

Summary: A stack buffer overflow in ntpq can be triggered by a malicious ntpd server when ntpq requests the restriction list from the server. This is due to a missing length check in the reslist() function. It occurs whenever the function parses the server’s response and encounters a flagstr variable of an excessive length. The string will be copied into a fixed-size buffer, leading to an overflow on the function’s stack-frame. Note well that this problem requires a malicious server, and affects ntpq, not ntpd.


     

CVSS v3 Base Score: 8.8 High


     

     

Response: The flaw does not exist


     

The problem affects ntpq which is not used in the RSA Authentication Manager 8.2 appliance.


     
March 30, 2017
NTPCVE-2016-9042
     

CVE-2016-9042 - 0rigin DoS


     

Summary: An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. This vulnerability can only be exploited if the attacker can spoof all of the servers.


     

CVSS v3 (from NTP.org): MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)


     

     

Response: The flaw does not exist


     

The problem affects ntp peer time servers and not the RSA Authentication Manager 8.2 appliance which is a client of a time server only.


     
March 30, 2017
Linux kernelCVE-2016-7916
     

CVE-2016-7916


     

Race condition in the environ_read function in fs/proc/base.c in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete.


     

CVSS v3 Base Score: 5.5 Medium


     
Response: The flaw exists but does not add an additional risk
     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2015-8964
     

CVE-2015-8964


     

The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel before 4.5 allows local users to obtain sensitive information from kernel memory by reading a tty data structure.


     

CVSS v3 Base Score: 5.5 Medium


     

     

Response: The flaw exists but does not add an additional risk


     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2013-6368
     

CVE-2013-6368


     

The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address.


     

CVSS v2 Base Score: 6.2 Medium


     

     

Response: The flaw exists but does not add an additional risk


     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2017-5551
     

CVE-2017-5551


     

The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.


     

CVSS v3 Base Score: 4.4 Medium


     
Response: The flaw exists but does not add an additional risk
     

The RSA Authentication Manager appliance administrator already has access to root system privileges, so the vulnerability does not represent additional risk.


     
4/12/2017
Linux kernelCVE-2016-9555
     

CVE-2016-9555


     

The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data.


     

CVSS v3 Base Score: 9.8 Critical


     

     

Response: The flaw exists but cannot be exploited.


     

The RSA Authentication Manager appliance does not use SCTP.


     
4/12/2017
Linux kernelCVE-2016-5696
     

CVE-2016-5696


     

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.


     

CVSS v3 Base Score: 4.8 Medium


     
Response: The flaw exists (but is already fixed in AM 8.2 patch 4) and is not exploitable in AM 8.2.0.4 and later versions4/12/2017
Samba ServerCVE-2017-7494
     

CVE-2017-7494


     

Description:
      All versions of Samba from 3.5.0 onward are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.


     

CVSSv3 Base Score: 7.5


     

     

Response: The flaw does not exist


     

The RSA Authentication Manager does not include a samba server (smbd).


     
6/6/2017

  
 
NotesFor CVE-2017-7494, Same response goes for RSA Authentication Manager 8.0 and 8.1

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes