DNS External Service Interaction in RSA Authentication Manager 8.x - False Positive
Originally Published: 2015-12-14
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: 11
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: 11
CVE Identifier(s)
Article Summary
*CWE-406: Insufficient Control of Network Message Volume* (detected by DNS)
or
External Service Interaction - DNS*
Description:
Reported by scanner or audit - the entry of certain data as a parameter will trigger the resolution of a hostname.
or
External Service Interaction - DNS*
Description:
Reported by scanner or audit - the entry of certain data as a parameter will trigger the resolution of a hostname.
Detected by a vulnerability scanner (the BURP scanner is one), the issue is described as follows:
External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.
In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.
Or
Specification of a value as a parameter (such as a value submitted in a form) which causes an unexpected action on an external server and might allow an attacker to attack another system via the values submitted to the server having the weakness (the server receiving the suspicious parameter).
Link to Advisories
Alert Impact
Not Applicable
Alert Impact Explanation
Analysis
Analysis of the code shows that the DNS name resolution through the “rsa:ClientAddress” parameter described in the report, is not a weakness. The DNS name resolution is expected and is not part of a larger action on the Authentication Manager server to reference an external service. No attack against the server specified in the parameter can be performed.
Analysis of the code shows that the DNS name resolution through the “rsa:ClientAddress” parameter described in the report, is not a weakness. The DNS name resolution is expected and is not part of a larger action on the Authentication Manager server to reference an external service. No attack against the server specified in the parameter can be performed.
Notes
Additional Information
The RSA Authentication Manager Appliance is a network infrastructure tool and as such is expected to be configured and work with network information such as hostnames and IP addresses. The application will be configured with network information including references to hostname and IP of external third-party services (such as SMS providers, authentication agents, email servers, etc.) as well as other network systems such as DNS and NTPD time servers. The interaction with these other systems and services are expected.
In the particular case, we attempt to resolve the ClientAddress provided name (via DNS or hosts file) but there is no corresponding action performed by Authentication Manager targeting the server referenced by the parameter.
The RSA Authentication Manager Appliance is a network infrastructure tool and as such is expected to be configured and work with network information such as hostnames and IP addresses. The application will be configured with network information including references to hostname and IP of external third-party services (such as SMS providers, authentication agents, email servers, etc.) as well as other network systems such as DNS and NTPD time servers. The interaction with these other systems and services are expected.
In the particular case, we attempt to resolve the ClientAddress provided name (via DNS or hosts file) but there is no corresponding action performed by Authentication Manager targeting the server referenced by the parameter.
Disclaimer
Related Articles
Inconsistent or failed DNS name resolution by RSA SecurID Access Identity Router Number of Views Identity Router DNS Requirements Number of Views RSA SecurID Authenticator 4.1 for iOS and Android Quick Start Guide (Italian) Number of Views Rule Test button causes performance issues in RSA Identity Governance & Lifecycle Number of Views Oracle bug ORA-00600 ktecgsc:objdchk_kcbgcur_3 causing the collectors to fail Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
