Bugtraq mailing list archives

RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )

From: Kyle Quest <kyle.c.quest () hotmail com>
Date: Tue, 8 Jun 2010 16:06:02 -0400


The only problem is that the upgrade is not free, so you either pay up or stay vulnerable.

Date: Sat, 5 Jun 2010 08:38:55 -0600
From: security_alert () emc com
To: bugtraq () securityfocus com
Subject: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )

What is the issue?

This message is in response to the original message posted on June 3, 2010 addressing a SQL Injection vulnerability 
in the RSA Key Manager C Client version 1.5.  The original message referenced CVE-2010-1904.

A vulnerability has been identified in the RSA Key Manager (RKM) C client 1.5 that may expose the product to a SQL 
Injection attack. An attacker having access to encrypted data may be able to leverage this vulnerability in an 
attempt to alter the RKM C Client 1.5 cache.

Affected Products:
RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris, HP-UX, etc).

Unaffected Products:
RKM C Client 2.0.x, all platforms
RKM C Client 2.1.x, all platforms
RKM C Client 2.2.x, all platforms
RKM C Client 2.5.x, all platforms
RKM C Client 2.7, all platforms
All versions of RKM Java Client
RKM PKCS#11 Module for LT0-4
RKM PKCS#11 Module for Oracle TDE
RKM Server, all versions and platforms
RKM Appliance, all versions
Customer using EMC PowerPath with RSA encryption
Customer using Brocade Encryption Switches with RSA encryption

What is the impact?
An attacker can attempt to modify the cache to insert an arbitrary encryption key that may lead to data 
unavailability (such as decryption failure of data encrypted by that modified key). 

There is no impact on confidentiality of the data as the attacker would need the cache encryption key in order to 
decrypt the data.

As of the date of this posting, RSA is not aware of any instances where this vulnerability may have been compromised 
nor are there signs of published exploit code.

Recommendations

RSA, The Security Division of EMC, recommends all customers upgrade to the latest version of RKM C Client and RKM 
Server/Appliance.

EMC Product Security Response Center
Email: security_alert () emc com

                                          
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4

Current thread:

RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 ) Kyle Quest (Jun 04)
- <Possible follow-ups>
- Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 ) security_alert (Jun 07)
  - RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 ) Kyle Quest (Jun 09)