SB2017112908 - Authentication bypass in RSA Authentication Agent
Published: November 29, 2017
Security Bulletin ID
SB2017112908
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Authentication bypass (CVE-ID: CVE-2017-14377)
The vulnerability allows a remote attacker to bypass authentication on the target system.The weakness exists in RSA Authentication Agent for Web for Apache Web Server due to input validation flaw. A remote attacker can supply specially crafted data and gain access to resources ostensibly protected by the target agent.
2) Error handling (CVE-ID: CVE-2017-14378)
The vulnerability allows a remote attacker to bypass authentication on the target system.The weakness exists in RSA Authentication Agent for Web for Apache Web Server due to improper handling of return codes from the API/SDK. A remote attacker can trigger an error handling flaw and bypass authentication.
Remediation
Install update from vendor's website.