what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RSA Authentication Manager Insecure Direct Object Reference

RSA Authentication Manager Insecure Direct Object Reference
Posted Aug 8, 2016
Site emc.com

RSA AM Prime Self-Service Portal could allow a malicious authenticated user (attacker) to replace his/her token serial number in a PIN change request with the token serial number of a victim user, which may change the PIN of the victim user to the PIN value specified by the attacker in the PIN change request. This may also deny victim?s access to the system. Versions 3.0 and 3.1 prior to build version 1915 are affected.

tags | advisory
advisories | CVE-2016-0915
SHA-256 | e4b587fc929e99c40943704d1e48d72544d2b5e89ff4beb76fa5d193ca13555d

RSA Authentication Manager Insecure Direct Object Reference

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2016-070: RSA(r) Authentication Manager Prime SelfService Insecure Direct Object Reference Vulnerability

EMC Identifier: ESA-2016-070

CVE Identifier: CVE-2016-0915

Severity Rating: CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)

Affected Products:
* RSA Authentication Manager (AM) Prime Self-Service 3.0 and 3.1 versions prior to build version 1915
Summary:
RSA AM Prime Self-Service Portal contains a fix for an insecure direct object reference vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
RSA AM Prime Self-Service Portal could allow a malicious authenticated user (attacker) to replace his/her token serial number in a PIN change request with the token serial number of a victim user, which may change the PIN of the victim user to the PIN value specified by the attacker in the PIN change request. This may also deny victims access to the system.
Recommendation:
The following RSA Authentication Manager Prime Self-Service release contains a fix for this vulnerability:
* RSA Authentication Manager Prime Self-Service version 3.1 1915.42871
RSA recommends all customers upgrade to the version listed above at the earliest opportunity.
Credit
RSA would like to thank Frank Gifford of Praetorian (https://praetorian.com/) for reporting this vulnerability.
Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated
Obtaining Download Instructions:
Contact RSA Customer Service to open a ticket to obtain the fixed version.

RSA Link: For product information, access to downloads, support and documentation, join RSA Link at support.rsa.com Each product has its own space that is your one stop for product support.

Note: In order to provide the best online support experience possible, we are moving all product support to RSA Link. To continue receiving product notifications, access to product downloads and documentation, please log into RSA Link with the same user name and password you use today for SecurCare Online (SCOL) and you will be added to RSA Link product advisories.

EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. https://community.rsa.com/docs/DOC-40387

About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes & Security Advisories, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the applicable RSA product family . Click the Submit button to save your selection. Please note: by discontinuing these emails, you will not receive notifications of upgrades, outages, or fixes..

Sincerely,
RSA Customer Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iQEcBAEBAgAGBQJXqM98AAoJEHbcu+fsE81ZP4kH/3c6nNKNaW9DMOg1289duOAC
nvTunsamo4kynkp+4D79XDFXAAjFSTbNFS1o7LAq4tkXX2g1qWbokeeeLTybNc08
mQvxl/FavOv0IU8IILMu/SmSgbzpf1TVizVC+3GjufrtXLYidMvWJx5ofbQPZukI
oB++mECwQ1cfGNM31rrABkLQl9q2/wOqUbpLYZYNOo2jOL9vPDqlzWR9n8gYbu2N
eq6ceDkJ0/aWF/ZUQLxmYUfPe2VZBA7tpwo2P+ZqocfH7SApmfnWX0vhMVA4Zelv
5FgEPcdpAiHWQ1PunV79I9vLcczCaOCpVLB+YH8KgqhbZutRg8fKZp3dJNpC8PE=
=p1pU
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close