RSA Authentication Manager 8.2 False Positive Security Vulnerabilities
Originally Published: 2017-04-20
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2
CVE Identifier(s)
Article Summary
Alert Impact
Not Applicable
Alert Impact Explanation
Resolution
| Embedded Component | CVE ID | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| libxml2 | CVE-2016-9318 | CVE-2016-9318 | Response: The flaw exists but cannot be exploited. | 14-Apr-17 |
| libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. | Products which use this broken feature are not included in the RSA Authentication Manager appliance for handling any XML input from the AM consoles. | |||
| CVSS v3 Base Score: 7.8 High | ||||
| ntp | CVE-2016-9310 | CVE-2016-9310 | Response: The flaw does not exist | 14-Apr-17 |
| The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. | The NTP service on the RSA Authentication Manager appliance is a client of a time service only. It does not allow remote administration. | |||
| CVSS v3 Base Score: 6.5 Medium | ||||
| ntp | CVE-2015-7871 | CVE-2015-7871 | Response: The flaw does not exist. | 14-Apr-17 |
| Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations (lines 1103-1165) was refactored. | The RSA Authentication Manager appliance v8.2.0.4 already includes this fix | |||
| CVSS v2 Base Score: 6.4 Medium (from NTP.org) | ||||
| libvmtools0 | CVE-2015-5191 | CVE-2015-5191 | Response: The flaw exists but does not additional risk. | 14-Apr-17 |
| No description at NVD | The RSA Authentication Manager appliance is a secure system with a single appliance administrator capable of logging in. It is not a multi-purpose/multi-user system with non-privileged local users. The appliance administrator is already capable of obtaining root privileges. | |||
| CVSS v2 Base Score: 6.56 Medium (from SUSE) | ||||
| openssl | CVE-2016-7056 | CVE-2016-7056 | Response: The flaw exists but does not additional risk. | 14-Apr-17 |
| The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. | The RSA Authentication Manager appliance is a secure system with a single appliance administrator capable of logging in. It is not a multi-purpose/multi-user system with non-privileged local users. The appliance administrator is already capable of obtaining root privileges. | |||
| In order to exploit this flaw, the attacker needs to be have local (shell) access to the machine where the message is being signed using the ECDSA algorithm with a P-256 elliptic curve key. Then using cache timing attacks (which needs precise timing), on multiple signature runs, the private key could be obtained. Based on the factor that exploitation is difficult, Red Hat Product Security Team has rated this flaw as having Moderate impact. A further security release may address this flaw. | ||||
| CVSS v3 Base Score: 5.5 Medium (from Red Hat) | ||||
| openssl | CVE-2016-8610 | CVE-2016-8610 | Response: The flaw exists but cannot be exploited (in the default configuration) | 14-Apr-17 |
| A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. | OpenSSL is not used for SSL/TLS communication except in a special situation where the administrator has explicitly created database-read-only users and identified the source IP for the database read-only connection. The specified IP would need to be an IP controlled by the attacker. Any exploit would be further mitigated by the fact that the database connection is handled in separate threads (refer to https://access.redhat.com/security/cve/CVE-2016-8610). | |||
| CVSS v3 Base Score: 4.6 Medium (from Red Hat) | ||||
| ntp | CVE-2016-7426 | CVE-2016-7426 | Response: The flaw exists but cannot be exploited. | 14-Apr-17 |
| NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. | The RSA Authentication Manager appliance is not configured to use this rate limiting feature. | |||
| CVSS v3 Base Score: 5.3 Medium | ||||
| expat | CVE-2016-5300 | CVE-2016-5300 | Response: The flaw exists but cannot be exploited. | 14-Apr-17 |
| The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. | AM does not use the system Expat library for processing any input XML documents. | |||
| CVSS v3 Base Score: 7.5 High | ||||
| ssh | CVE-2016-8858 | CVE-2016-8858 | Response: The flaw exists but cannot be exploited (in the default configuration) | 14-Apr-17 |
| CVSS v3 Base Score: 7.5 High | The issue could be exploited by a user with access to SSH if the SSH capability of the AM appliance is enabled. The SSH console feature is not enabled by default and in included with AM for customers who are willing to accept its risks. RSA suggests that SSH access always be protected in a network limited to trusted administrators, and that the feature be disable when not being used. |
Disclaimer
Related Articles
Unable to start Apache for after installing RSA Access Manager Agent 5.0 SP4 for Apache on Windows 2012 R2 Number of Views RSA Authentication Manager 8.2 False Positive Security Vulnerabilities Number of Views RSA Authentication Manager 8.7 False Positive Security Vulnerabilities Number of Views AFX new or updated Connectors remain in a Deployed state and the MMC application fails to load in RSA Identity Governance … Number of Views How to configure AES ciphers for the RSA Authentication Manager 8.1 Security Console Number of Views
Trending Articles
Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… Downloading RSA Authentication Manager license files or RSA Software token seed records Unable to login to RSA Authentication Manager Security Console as super admin RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device
Don't see what you're looking for?
