RSA SecurID admin console can issue emergency access to decent social engineers
Put the management interface behind the firewall, pronto
Stop us if you've heard this one: an emergency access feature offered by RSA for SecurID token customers isn't completely secure.
That's the opinion of pentest outfit Netspi, whose Alexander Leary worked out how to abuse the SecurID Emergency Access Tokencodes (EAT).
The use-once codes are intended to provide a temporary access mechanism for someone whose SecurID token fails or is lost: it's a “backup code that is randomly generated on the RSA server that works for a set period, typically a week or so”, Leary writes.
The problem is this: so that sysadmins aren't distracted by user requests for temporary IDs (“oh, you know, I left it in my other coat”), the SecurID console has a self-service option so users can get their own EATs.
If the user is relying solely on a SecurID token – and if the console is integrated with LDAP – the attacker only needs sufficient social engineering skills (“After compromising a user's account who had access to the CDE, I was able to log into the RSA console using their Active Directory username and password) to get their login identity; the console then helps you navigate to the relevant support page to get your temporary token.
Users might have set PINs, but the console's helpful there as well: Netspi reckons the number of false attempts in the “reset PIN” function isn't limited, so it's brute-forceable. Lovely.
So far, however, compromising the system rests on compromising a legitimate user. Where it gets more interesting, Leary writes, is if you have a username but not a password – because the console's password-reset is based on the provably secure (not really) technique of security questions: there are three available per user.
Any moderately accomplished black-or-white-hat is probably schooled in Googling peoples' online profile to get a shot at guessing stuff like mother's maiden name, childhood pet cat or dog, and the like, so Netspi reckons this isn't sufficiently secure.
Until it's fixed (The Register has asked RSA for comment, but hasn't heard back), Netspi reckons the best idea is to avoid exposing the console to the Internet – because systems visible to the outside world are already indexed in Shodan, and can be Googled up with the terms "Self-Service Console – Home". ®