lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 5 Jun 2010 09:08:26 -0400
From: <Security_Alert@....com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: Security_Alert@....com
Subject: Re: RSA Key Manager SQL injection Vulnerability (
	CVE-2010-1904 )

What is the issue?

This message is in response to the original message posted on June 3,
2010 addressing a SQL Injection vulnerability in the RSA Key Manager C
Client version 1.5.  The original message referenced CVE-2010-1904.

A vulnerability has been identified in the RSA Key Manager (RKM) C
client 1.5 that may expose the product to a SQL Injection attack. An
attacker having access to encrypted data may be able to leverage this
vulnerability in an attempt to alter the RKM C Client 1.5 cache.

Affected Products:
RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris,
HP-UX, etc).

Unaffected Products:
RKM C Client 2.0.x, all platforms
RKM C Client 2.1.x, all platforms
RKM C Client 2.2.x, all platforms
RKM C Client 2.5.x, all platforms
RKM C Client 2.7, all platforms
All versions of RKM Java Client
RKM PKCS#11 Module for LT0-4
RKM PKCS#11 Module for Oracle TDE
RKM Server, all versions and platforms
RKM Appliance, all versions
Customer using EMC PowerPath with RSA encryption
Customer using Brocade Encryption Switches with RSA encryption

What is the impact?
An attacker can attempt to modify the cache to insert an arbitrary
encryption key that may lead to data unavailability (such as decryption
failure of data encrypted by that modified key). 

There is no impact on confidentiality of the data as the attacker would
need the cache encryption key in order to decrypt the data.

As of the date of this posting, RSA is not aware of any instances where
this vulnerability may have been compromised nor are there signs of
published exploit code.

Recommendations

RSA, The Security Division of EMC, recommends all customers upgrade to
the latest version of RKM C Client and RKM Server/Appliance.



EMC Product Security Response Center
Email: security_alert@....com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ