Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

When the RSA Authentication Client stores a secret key in an RSA
SecurID 800 Authenticator, an attacker can read it.

– Severity: 2/4
– Creation date: 07/10/2010

DESCRIPTION OF THE VULNERABILITY

The PKCS#11 interface uses the SENSITIVE and NON-EXTRACTABLE
attributes to indicate that an object contains sensitive
information which cannot be read.

The RSA Authentication Client product can store secret keys in an
RSA SecurID 800 Authenticator, using the PKCS#11 API. However, the
SENSITIVE and NON-EXTRACTABLE attributes are not set. An attacker
can therefore extract secret information stored in the RSA SecurID
800 Authenticator.

When the RSA Authentication Client stores a secret key in an RSA
SecurID 800 Authenticator, an attacker can therefore read it.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/RSA-Authentication-Client-disclosure-of-secret-keys-10009