Main Vulnerability Database Vulnerabilities #VU9443

Error handling in RSA Authentication Agent SDK and RSA Authentication Agent API - CVE-2017-14378

Published: November 29, 2017

Vulnerability identifier: #VU9443

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-14378

CWE-ID: CWE-388

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: RSA

Affected software:
RSA Authentication Agent SDK
RSA Authentication Agent API

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists in RSA Authentication Agent for Web for Apache Web Server due to improper handling of return codes from the API/SDK. A remote attacker can trigger an error handling flaw and bypass authentication.

How to mitigate CVE-2017-14378

Install update from vendor's website (API 8.5.1 for C, SDK 8.6.1 for C).

Sources

http://seclists.org/fulldisclosure/2017/Nov/46

Error handling in RSA Authentication Agent SDK and RSA Authentication Agent API - CVE-2017-14378

Detailed vulnerability description

How to mitigate CVE-2017-14378

Sources

Please verify you're human