lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 8 Jun 2010 16:06:02 -0400
From: Kyle Quest <kyle.c.quest@...mail.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )


The only problem is that the upgrade is not free, so you either pay up or stay vulnerable.

> Date: Sat, 5 Jun 2010 08:38:55 -0600
> From: security_alert@....com
> To: bugtraq@...urityfocus.com
> Subject: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
> 
> What is the issue?
> 
> This message is in response to the original message posted on June 3, 2010 addressing a SQL Injection vulnerability in the RSA Key Manager C Client version 1.5.  The original message referenced CVE-2010-1904.
> 
> A vulnerability has been identified in the RSA Key Manager (RKM) C client 1.5 that may expose the product to a SQL Injection attack. An attacker having access to encrypted data may be able to leverage this vulnerability in an attempt to alter the RKM C Client 1.5 cache.
> 
> Affected Products:
> RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris, HP-UX, etc).
> 
> Unaffected Products:
> RKM C Client 2.0.x, all platforms
> RKM C Client 2.1.x, all platforms
> RKM C Client 2.2.x, all platforms
> RKM C Client 2.5.x, all platforms
> RKM C Client 2.7, all platforms
> All versions of RKM Java Client
> RKM PKCS#11 Module for LT0-4
> RKM PKCS#11 Module for Oracle TDE
> RKM Server, all versions and platforms
> RKM Appliance, all versions
> Customer using EMC PowerPath with RSA encryption
> Customer using Brocade Encryption Switches with RSA encryption
> 
> What is the impact?
> An attacker can attempt to modify the cache to insert an arbitrary encryption key that may lead to data unavailability (such as decryption failure of data encrypted by that modified key). 
> 
> There is no impact on confidentiality of the data as the attacker would need the cache encryption key in order to decrypt the data.
> 
> As of the date of this posting, RSA is not aware of any instances where this vulnerability may have been compromised nor are there signs of published exploit code.
> 
> Recommendations
> 
> RSA, The Security Division of EMC, recommends all customers upgrade to the latest version of RKM C Client and RKM Server/Appliance.
> 
> 
> 
> EMC Product Security Response Center
> Email: security_alert@....com 
 		 	   		  
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ