Feeds

SSL toolkit flaw poses risk

RSA patch

  • alert
  • submit to reddit

Remote control for virtualized desktops

A vulnerability has been discovered in versions of software development toolkits from RSA Security, which could allow an attacker to bypass SSL client authentication.

In a security notice on the issue, RSA said the vulnerability meant that hackers "might potentially gain access to data intended only for authorised users". The company has a patch and it advises customers to apply this to affected software.

Due to a bug in the SSL (Secure Socket Layer) session cacheing feature implemented in RSA BSAFE SSL-J versions 3.x, unauthorised clients may be able to impersonate authorised clients, RSA confirms.

The problem does not affect clients nor does it impact the performance of servers which do not use client authentication. But the vulnerability is noteworthy because it affects commonly used-cryptographic protection techniques.

It's been discovered that (with use of the vulnerable software libraries) if an error occurs while the handshake is being performed, the session key is, under certain conditions, stored in the cache when it should be discarded.

Once cached, this session key can be used by an attacker to cause a server to skip the full client authentication scheme, and use a much shorter sign-on procedure.

The SSL protocol provides for caching of SSL sessions between subsequent connections by the same user; this speeds up connections and lower processing overhead in most cases. The flaw would not give a user root access to a server.

The issue affects RSA BSAFE SSL-J 3.0, 3.01 and 3.1 and Cisco Internet Content Distribution Network 2.0 (because of its use of the toolkit). Users of RSA BSAFE SSL-J 1.x and 2.x are unaffected, as are RSA customers using BSAFE SSL-J 3.1.1 or 4.0 beta 2 and higher. ®

External links

RSA Security Bulletin
Cisco advice to iCDN network

Related Stories

Secure the Wireless Network firmware
RSA poses $200,000 crypto challenge
RSA takes a long-term risk on safety
Internet security firm RSA's Web site hacked

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?