CVE-2018-1126

procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager has no method to remotely execute any procps utility with control over the invocation. The creation of any exploit would require an involved attempt by the local appliance administrator. The appliance administrator is the only user who can log in to the appliance and already has the ability to obtain root privileges.

CVE-2018-1125

procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager has no method to remotely execute any procps utility with control over the invocation. The creation of any exploit would require an involved attempt by the local appliance administrator. The appliance administrator is the only user who can log in to the appliance and already has the ability to obtain root privileges.

CVE-2018-1124

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.

Response: The flaw exists but does not create additional risk.

The creation of any exploit would require an involved attempt by the local appliance administrator. The appliance administrator is the only user who can log in to the appliance and already has the ability to obtain root privileges.

CVE-2018-1123

procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager has no method to remotely execute any procps utility with control over the invocation. The creation of any exploit would require an involved attempt by the local appliance administrator. The appliance administrator is the only user who can log in to the appliance and already has the ability to obtain root privileges.

CVE-2018-1122

procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.

Response: The flaw exists but does not create additional risk.

The creation of any exploit would require an involved attempt by the local appliance administrator. The appliance administrator already has the ability to obtain root privileges.

CVE-2018-12015

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager has no service which uses Perl and no existing capability which uses Perl's Archive::Tar module.

CVE-2014-3688

The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association's output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager does not use the SCTP protocol.

CVE-2018-0732

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o)

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager does not use the OpenSSL package for SSL/TLS connections.

CVE-2018-0360

ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c.

Response: The flaw exists and could be exploited..

The RSA Authentication Manager does not run the vulnerable ClamAV scanner by default. To exploit, an attacker would need to convince the appliance administrator to transfer a crafted file to the appliance.

CVE-2018-0361

ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file.

Response: The flaw exists and could be exploited..

The RSA Authentication Manager does not run the vulnerable ClamAV scanner by default. To exploit, an attacker would need to convince the appliance administrator to transfer a crafted file to the appliance.

CVE-2008-1483

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager does not use the vulnerable features associated with forwarded X connections.

CVE-2016-10708

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

Response: The flaw exists and could be exploited.

The RSA Authentication Manager does not run enable ssh access by default. SSH access should not be enabled unless necessary for special maintenance activities and disabled when not in use. When enabled, ssh access should be limited to secure internal networks.

CVE-2016-10012

The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges.

CVE-2017-15906

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Response: The flaw exists but cannot be exploited.

The SSH server on the RSA Authentication Manage appliance does not use this feature (readonly mode).

CVE-2018-11236

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager does not have an external interface allowing the long pathnames required for exploit of this issue.

CVE-2018-10858

Samba releases 3.2.0 to 4.8.3 (inclusive) contain an error in libsmbclient that could allow a malicious server to overwrite client heap memory by returning an extra long filename in a directory listing.

Response: The flaw exists and could be exploited.

Could be exploited if an administrator attempts to use the smb client to connect to a malicious SMB server from the command line.

Not an issue for connections from AM services (but nonetheless, administrators should not connect and transfer files to malicious or untrusted file shares).

CVE-2018-3646

L1 Terminal Fault: VMM - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

Note: The EMC Product Security Office has created a response for all RSA products. Refer to: https://community.rsa.com/docs/DOC-96325

CVE-2018-3615

L1 Terminal Fault: SGX - Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

Note: The EMC Product Security Office has created a response for all RSA products. Refer to: https://community.rsa.com/docs/DOC-96325

CVE-2018-3620

L1 Terminal Fault: OS/SMM - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.

Note: The EMC Product Security Office has created a response for all RSA products. Refer to: https://community.rsa.com/docs/DOC-96325

CVE-2018-13053

The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-13406

An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2016-8405

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010.

Response: The flaw does not exist.

The RSA Authentication Manager does not use this OS version or features.

CVE-2018-5814

In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-12233

In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager appliance does not use this feature (Journaled File System).

CVE-2018-1000204

** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit."

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager appliance does not have the required vulnerable configuration.

CVE-2017-13305

A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.

Response: The flaw does not exist.

The RSA Authentication Manager does not use this OS version or features.

CVE-2018-1130

Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-1068

A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-5803

In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-7492

A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.

CVE-2018-1060

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager appliance has no service running in python and no python application accepting untrusted code to allow the exploit. The customer would need to create or install their own vulnerable application.

CVE-2018-1061

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager appliance has no service running in python and no python application accepting untrusted code to allow the exploit. The customer would need to create or install their own vulnerable application.

CVE-2016-5636

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

Response: The flaw exists but cannot be exploited.

The RSA Authentication Manager appliance has no service running in python and no python application accepting untrusted code to allow the exploit. The customer would need to create or install their own vulnerable application.

CVE-2018-0737

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

OpenSSL.org:
https://www.openssl.org/news/secadv/20180416.txt

Response: The flaw exists but does not create additional risk.

The RSA Authentication Manager appliance administrator is the only user able to log into the system and is already capable of obtaining full system privileges and having the same impact.