Users of RSAR Authentication Client please be advised of an information disclosure vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
Amplify’d from www.criticalwatch.com
ESA-2010-018: RSAR Authentication Client information disclosure
Affected Products:
Any version of RSA Authentication Client used only with RSA SecurID 800 authenticators to store secret key objects tagged as SENSITIVE and NON-EXTRACTABLE.
Description:
CVE Identifier: CVE-2010-3321
RSA Authentication Client can be used to store secret key objects on an RSA SecurID 800 hybrid authenticator using the PKCS#11 API. According to PKCS#11 specifications, secret key objects tagged as SENSITIVE and NON-EXTRACTABLE cannot be exported from the device. This option safeguards against the possibility of a key being used in a manner for which it was not originally intended by the developer of the application (e.g., a user copying the key to another device). Affected versions of RSA Authentication Client ignore the SENSITIVE and NON-EXTRACTABLE tags for secret key objects and allow these objects to be extracted by a properly authenticated userRead more at www.criticalwatch.com
See this Amp at http://bit.ly/drB060
No comments:
Post a Comment