Feeds

SSL toolkit flaw poses risk

RSA patch

  • alert
  • submit to reddit

Intelligent flash storage arrays

A vulnerability has been discovered in versions of software development toolkits from RSA Security, which could allow an attacker to bypass SSL client authentication.

In a security notice on the issue, RSA said the vulnerability meant that hackers "might potentially gain access to data intended only for authorised users". The company has a patch and it advises customers to apply this to affected software.

Due to a bug in the SSL (Secure Socket Layer) session cacheing feature implemented in RSA BSAFE SSL-J versions 3.x, unauthorised clients may be able to impersonate authorised clients, RSA confirms.

The problem does not affect clients nor does it impact the performance of servers which do not use client authentication. But the vulnerability is noteworthy because it affects commonly used-cryptographic protection techniques.

It's been discovered that (with use of the vulnerable software libraries) if an error occurs while the handshake is being performed, the session key is, under certain conditions, stored in the cache when it should be discarded.

Once cached, this session key can be used by an attacker to cause a server to skip the full client authentication scheme, and use a much shorter sign-on procedure.

The SSL protocol provides for caching of SSL sessions between subsequent connections by the same user; this speeds up connections and lower processing overhead in most cases. The flaw would not give a user root access to a server.

The issue affects RSA BSAFE SSL-J 3.0, 3.01 and 3.1 and Cisco Internet Content Distribution Network 2.0 (because of its use of the toolkit). Users of RSA BSAFE SSL-J 1.x and 2.x are unaffected, as are RSA customers using BSAFE SSL-J 3.1.1 or 4.0 beta 2 and higher. ®

External links

RSA Security Bulletin
Cisco advice to iCDN network

Related Stories

Secure the Wireless Network firmware
RSA poses $200,000 crypto challenge
RSA takes a long-term risk on safety
Internet security firm RSA's Web site hacked

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.