|Resolution||After reviewing the report, it is RSA’s conclusion that an insecure implementation at this researcher’s client led to the vulnerabilities identified and that each of these concerns could be mitigated by following RSA and industry-recommended security best practices including hardened network configuration, proper use of multi-factor authentication, and least privilege. |
- By default, only limited self-service capabilities are available in RSA Authentication Manager. More sensitive features such as Forgot Password must be explicitly enabled by the administrator. Other features such as Troubleshoot Token can be disabled as required. In general, organizations should enable only those features that are required and for which the benefits outweigh the risks. In highly sensitive deployments, RSA recommends that emergency access is provided through a live help desk call rather than by using self-service.
- Organizations should proceed with caution before making any self-service features available on the public Internet. The researcher concludes his article by highlighting the increased risks when placing self-service outside of a secured boundary. RSA agrees with this assessment. As stated in the RSA Authentication Manager Security Best Practices Guide (originally published in November 2011):
“Examine your self-service policies and consider hardening self-service access and functionality. Limit access to the self-service console only to users inside your network. RSA strongly recommends that you do not allow users to clear their PIN with the Self-Service Console. Users that must clear their PIN should contact the Help Desk.”
If an organization does choose to make self-service available on the Internet, RSA provides a more secure means to do so through DMZ-based web tier servers. In the researcher’s example, this guidance was ignored. Instead, secured ports were unnecessarily opened on the client’s corporate firewall. The RSA Authentication Manager Planning Guide specifically states:
“While port 7004 is used by the Security Console, dynamic seed provisioning, and the Self-Service Console, it should not be directly accessible outside the intranet. To allow access to the Self-Service Console or dynamic seed provisioning for external users, set up a web tier to help protect port 7004 and restrict access to the Security Console.”
- Security best practices rely upon a defense-in-depth strategy. RSA SecurID technology is based on the principle of multi-factor authentication, which strengthens security by forcing an attacker to compromise multiple defenses—in this case, something you have (“the token”), and something you know (“the PIN”). When employing emergency access, an equivalent multi-layer approach should be used. In the researcher’s example, this principle was ignored in multiple respects.
First, the researcher’s token was assigned without a PIN.
Second, emergency access was deployed as a “single factor” without a second layer of defense (e. g., network security). And while RSA acknowledges the researcher’s finding that Change PIN could be used in an unintended and malicious way, the researcher concedes that this was achieved only through prior knowledge of the user’s Active Directory password. Nevertheless, RSA is currently enhancing the Change PIN feature to address this concern.
Ultimately, customers must decide when and where to use specific self-service features based on their individual needs and risk profile. But the risks can be mitigated by following RSA and industry-recommended security best practices. We encourage RSA customers to stay current with security best practices for deploying and maintaining RSA Authentication Manager by visiting the RSA Link website for the latest documentation updates. Visit the RSA Authentication Manager 8.2 SP1 page on RSA Link for more information.
- When properly implemented, self-service can be deployed safely and securely. RSA SecurID is one of the most versatile authentication systems on the planet—used by organizations ranging from tens of users to millions of users, and protecting applications of every shape and size. To support this broad range of customers and use cases, RSA SecurID technology is designed to provide an extremely flexible and granular self-service model. In the researcher’s example, several key features of the product were left unexplored.
- The RSA Authentication Manager Web Tier allows organizations to decide which RSA SecurID services are available on the public Internet, and enables these services to be deployed securely in the DMZ without opening direct access to the RSA Authentication Manager server.
- The RSA Self-Service Console includes support for multi-factor authentication. Passwords, for example, can be augmented by requiring a one-time passcode sent to a pre-registered mobile phone or email account.
- A second factor (e. g., a PIN) should always be used with any one-time passcode solution. RSA SecurID supports additional PIN complexity and lockout features that can be used to help mitigate potential brute force attacks.
- For emergency access, RSA recommends single-use one-time codes. If an organization chooses to use fixed passcodes, these passcodes should be set to expire in 24 hours or less.
- When using Security Questions, organizations are encouraged to create custom questions not based on publicly searchable information. Organizations can also configure how many correct answers are required.
RSA welcomes independent security reviews as they help create the strongest and safest products for all our customers. Researchers are encouraged to contact RSA directly and to report any suspected product vulnerabilities directly to the Dell EMC Product Security Response Center.
Unfortunately, this researcher chose not share his results with RSA prior to publishing so RSA can respond only to the statements as outlined in the article. If new information surfaces, RSA will discuss it right here on the RSA Link website.