RSA Authentication Agent for Web for IIS vulnerable to heap overflow via overly large "chunk"

Overview

RSA Authentication Agent for Web for IIS contains a heap overflow in the handling of chunked input. This could allow a remote, unauthenticated attacker to execute arbitrary code on the server.

Description

RSA Authentication Agent software provides access control for networks, web applications, and operating systems. It is used in conjunction with RSA SecurID Authenticators and Authentication Manager software.

RSA Authentication Agent for Web for IIS contains a heap overflow vulnerability. Using chunked transfer-encoding it is possible to overwrite portions of heap memory, allowing execution of arbitrary code. Exploit code for this vulnerability is publicly available.

---

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with LocalSystem privileges on the vulnerable server.

---

Solution

Upgrade or patch
According to RSA Security:

To get this new patch and documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click "Downloads" in the left navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and "Authentication Agent 5.x", and select the downloads and documentation that pertain to your environment.

---

Vendor Information

790533

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

RSA Security __ Unknown

Notified: May 06, 2005 Updated: May 11, 2005

Status

Unknown

Vendor Statement

RSA Security has recently discovered and fixed a potential security vulnerability in the following RSA Authentication Agent for Web software:

- RSA Authentication Agent 5.3 for Web for IIS

This issue has been addressed and thoroughly qualified by RSA Security. RSA Security is not aware of any security breaches resulting from this vulnerability.

Description:

- The RSA Authentication Agent for Web 5.3 for IIS can be exploited with a heap overflow condition

Implication:

- A heap overflow condition causes IIS to crash on Windows 2000

Action Taken by RSA Security:

RSA has created a security patch to eliminate this vulnerability to be applied to the following:

- RSA Authentication Agent 5.3 for Web for IIS

Recommendation:

RSA Security recommends that all customers currently using RSA Authentication Agents 5.3 for Web software apply the security patches available now on the RSA SecurCare Online site. Doing so eliminates this vulnerability.

Getting Security Fixes:

To get this new patch and documentation, log on to RSA SecurCare Online at <https://knowledge.rsasecurity.com> and click “Downloads” in the left navigation menu. Then, click “Fixes by Product”, click “RSA SecurID”, and “Authentication Agent 5.x”, and select the downloads and documentation that pertain to your environment.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23790533 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <https://knowledge.rsasecurity.com>
• <http://secunia.com/advisories/15222&gt;
• <http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.6.1&gt;
• <http://www.securityfocus.com/bid/13524&gt;
• <http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0039.html&gt;
• http://www.rsasecurity.com/node.asp?id=2807&node_id
• <http://www.securityfocus.com/bid/13524&gt;

Acknowledgements

This vulnerability was reported by Gary O’leary-Steele of Sec-1.

This document was written by Will Dormann, based on the Sec-1 security advisory .

Other Information

CVE IDs:	CVE-2005-1471
Severity Metric:	15.75 Date Public: