DNS External Service Interaction in RSA Authentication Manager 8.x - False Positive
Originally Published: 2015-12-14
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: 11
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: 11
CVE Identifier(s)
Article Summary
*CWE-406: Insufficient Control of Network Message Volume* (detected by DNS)
or
External Service Interaction - DNS*
Description:
Reported by scanner or audit - the entry of certain data as a parameter will trigger the resolution of a hostname.
or
External Service Interaction - DNS*
Description:
Reported by scanner or audit - the entry of certain data as a parameter will trigger the resolution of a hostname.
Detected by a vulnerability scanner (the BURP scanner is one), the issue is described as follows:
External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.
In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.
Or
Specification of a value as a parameter (such as a value submitted in a form) which causes an unexpected action on an external server and might allow an attacker to attack another system via the values submitted to the server having the weakness (the server receiving the suspicious parameter).
Link to Advisories
Alert Impact
Not Applicable
Alert Impact Explanation
Analysis
Analysis of the code shows that the DNS name resolution through the “rsa:ClientAddress” parameter described in the report, is not a weakness. The DNS name resolution is expected and is not part of a larger action on the Authentication Manager server to reference an external service. No attack against the server specified in the parameter can be performed.
Analysis of the code shows that the DNS name resolution through the “rsa:ClientAddress” parameter described in the report, is not a weakness. The DNS name resolution is expected and is not part of a larger action on the Authentication Manager server to reference an external service. No attack against the server specified in the parameter can be performed.
Notes
Additional Information
The RSA Authentication Manager Appliance is a network infrastructure tool and as such is expected to be configured and work with network information such as hostnames and IP addresses. The application will be configured with network information including references to hostname and IP of external third-party services (such as SMS providers, authentication agents, email servers, etc.) as well as other network systems such as DNS and NTPD time servers. The interaction with these other systems and services are expected.
In the particular case, we attempt to resolve the ClientAddress provided name (via DNS or hosts file) but there is no corresponding action performed by Authentication Manager targeting the server referenced by the parameter.
The RSA Authentication Manager Appliance is a network infrastructure tool and as such is expected to be configured and work with network information such as hostnames and IP addresses. The application will be configured with network information including references to hostname and IP of external third-party services (such as SMS providers, authentication agents, email servers, etc.) as well as other network systems such as DNS and NTPD time servers. The interaction with these other systems and services are expected.
In the particular case, we attempt to resolve the ClientAddress provided name (via DNS or hosts file) but there is no corresponding action performed by Authentication Manager targeting the server referenced by the parameter.
Disclaimer
Related Articles
To prevent installation failure if Windows NT Domain controller is not present. Number of Views Inconsistent or failed DNS name resolution by RSA SecurID Access Identity Router Number of Views RSA SecurID Authenticator 4.1 for iOS and Android Quick Start Guide (Italian) Number of Views Identity Router DNS Requirements Number of Views SAML 2.0 Requirements for Service Providers - AuthnRequest Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
