Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1914
ESA-2016-070: RSA Authentication Manager Prime SelfService
Insecure Direct Object Reference Vulnerability
9 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RSA Authentication Manager Prime
Publisher: EMC
Operating System: Windows
Red Hat
Virtualisation
Impact/Access: Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0915
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2016-070: RSA® Authentication Manager Prime SelfService Insecure Direct Object Reference Vulnerability
EMC Identifier: ESA-2016-070
CVE Identifier: CVE-2016-0915
Severity Rating: CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Affected Products:
· RSA Authentication Manager (AM) Prime Self-Service 3.0 and 3.1 versions prior to build version 1915
Summary:
RSA AM Prime Self-Service Portal contains a fix for an insecure direct object reference vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
RSA AM Prime Self-Service Portal could allow a malicious authenticated user (attacker) to replace his/her token serial number in a PIN change request with the token serial number of a victim user, which may change the PIN of the victim user to the PIN value specified by the attacker in the PIN change request. This may also deny victimÂ’s access to the system.
Recommendation:
The following RSA Authentication Manager Prime Self-Service release contains a fix for this vulnerability:
· RSA Authentication Manager Prime Self-Service version 3.1 1915.42871
RSA recommends all customers upgrade to the version listed above at the earliest opportunity.
Credit
RSA would like to thank Frank Gifford of Praetorian (https://praetorian.com/) for reporting this vulnerability.
Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, “Security Advisories Severity Rating” at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated
Obtaining Download Instructions:
Contact RSA Customer Service to open a ticket to obtain the fixed version.
RSA Link: For product information, access to downloads, support and documentation, join RSA Link at support.rsa.com Each product has its own space that is your one stop for product support.
Note: In order to provide the best online support experience possible, we are moving all product support to RSA Link. To continue receiving product notifications, access to product downloads and documentation, please log into RSA Link with the same user name and password you use today for SecurCare Online (SCOL) and you will be added to RSA Link product advisories.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. https://community.rsa.com/docs/DOC-40387
About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youÂ’d like to stop receiving RSA SecurCare Notes & Security Advisories, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the applicable RSA product family . Click the Submit button to save your selection. Please note: by discontinuing these emails, you will not receive notifications of upgrades, outages, or fixes..
Sincerely,
RSA Customer Support
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iQEcBAEBAgAGBQJXqM98AAoJEHbcu+fsE81ZP4kH/3c6nNKNaW9DMOg1289duOAC
nvTunsamo4kynkp+4D79XDFXAAjFSTbNFS1o7LAq4tkXX2g1qWbokeeeLTybNc08
mQvxl/FavOv0IU8IILMu/SmSgbzpf1TVizVC+3GjufrtXLYidMvWJx5ofbQPZukI
oB++mECwQ1cfGNM31rrABkLQl9q2/wOqUbpLYZYNOo2jOL9vPDqlzWR9n8gYbu2N
eq6ceDkJ0/aWF/ZUQLxmYUfPe2VZBA7tpwo2P+ZqocfH7SApmfnWX0vhMVA4Zelv
5FgEPcdpAiHWQ1PunV79I9vLcczCaOCpVLB+YH8KgqhbZutRg8fKZp3dJNpC8PE=
=p1pU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV6kjkox+lLeg9Ub1AQhmTQ//YBQMWofJr27ki+8jhE6gaQj2DrTo95m/
ObjJ18SyJFXJLIK6fuGy7xY4HgtaDqUkJFbjaDV5OLu/OQu4lxHy+5VPWBbshq9i
wdXhoJLfzNiLl8zwZhecUJgnMZ7a8iWSZfd/rPA3A6ekBlYspTj4lCUUw2wD2JNN
2Cj/nu/SegIGp1TSOk/38Ek0g+anV+HSiAas2EFtd0kdCLO6mDroQdF7eVDNHbNc
ZW8KGd6TVAaib6q0ghvaEFBURyh8ZlnNuS+vqHV6wgRnZIg5mPKqJIxty/DPaAiJ
RIp+WcTyDhcJLzTgH9jDRjRV/hp8BWnaorNqN/rAAYSTzkDjBR77K4QZGj77gTNf
VwKjMdCKcVsiMQUJC8Lu03aGJuJk8Hy61guDcIXQ6aIXsh3YcuAjl/PE1La8Soaj
0QeonEJlZpimiUfuZtQe9ZkAJWhq7W7lop1htRJbd6X0Tso7agt5XBw0Ashw5QGe
qlzUtuRzIQi4dEAnzEPFTRtcAhhh6/hkSgoV73uJSXqaiBgYHX32FAZ9IHM68/vN
hLMOuOVltr965eqt1uLQ2tWGOTLDo6rTRYkiRhUFxuNZwh28+KYDKLYnmEFiy378
mxUWaP/rwPzdx11ENQaMeJG3IqP/gg4ELl3CWX2uy8u4/uFr/T2iqhGN2EnNiTLw
3SbXErwO6ZE=
=FNpI
-----END PGP SIGNATURE-----