Feeds

RSA WebID agent can't read Unicode

Get your patch now

  • alert
  • submit to reddit

SANS - Survey on application security programs

Updated RSA's Internet authentication product can be bypassed using a combination of Unicode characters which IIS recognises but RSA's security technology fails to decode.

RSA's WebID agent is supposed to deny access to a corporate intranet until a user is properly authenticated by a SecurID server.

The potentially serious security vulnerability in RSA's product was discovered by ProCheckUp, a UK security consultancy. That is at least according to CERT, but not RSA which said it informed customers of the issue and put out a fix back in July (see below).

In any case, a variation of the same Unicode directory transversal-style exploit would allow a hacker to obtain a directory listing on vulnerable systems. Hackers could knock up a url string featuring Unicode characters that would trick the url filter on RSA's WebID agent and bypass the security software.

Richard Brain, technical director of ProCheckUp, said the vulnerability meant that unauthenticated users could be able to read files and even execute programs on a supposedly secure server.

The issue is important because the Web agent of SecurID is used by government organisations and the like to secure access to intranets or for Outlook Web access.

RSA Security has issued a new release of the C libraries used in SecurID which guards against the flaw, according to ProCheckUp.

Users are advised to get the latest version ACE/Agent for Windows (4.4.3.) or ACE/Agent for Windows 2000 (1.1.2) to protect themselves against the vulnerability. This software can be obtained from the SecureCare online portion of RSA's Web site, which only its customers can access.

Updated

RSA Security has finally been in touch (after a week) to say that it discovered the vulnerability back in July and that ProCheckUp issued its alert without consulting it. This sits oddly with CERT's October 24 alert on the vulnerability and RSA didn't have an immediate explanation of this. ®

Related Link

Security bulletins on the issue by ProCheckUp

Related Stories

Pain in the RSA
SSL toolkit flaw poses risk
RSA takes a long-term risk on safety
RSA poses $200,000 crypto challenge
Internet security firm RSA's Web site hacked

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.