Heap Inspection in RSA BSAFE Micro Edition Suite

#VU21468 Heap Inspection in RSA BSAFE Micro Edition Suite

Published: 2019-10-01

Vulnerability identifier: #VU21468

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11055

CWE-ID: CWE-244

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
RSA BSAFE Micro Edition Suite
Client/Desktop applications / Other client software

Vendor: Dell

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the decoded PKCS #12 data in heap memory is not zeroized by MES before releasing the memory internally. A local authenticated user can gain access to the unauthorized data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RSA BSAFE Micro Edition Suite: 4.0.0 - 4.1.6

External links
http://seclists.org/fulldisclosure/2018/Aug/46
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in RSA BSAFE Micro Edition Suite