SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   RSA Authentication Manager Vendors:   RSA
RSA Authentication Manager Prime Self-Service Portal Direct Object Reference Flaw Lets Remote Authenticated Users Modify the Target User's PIN Data
SecurityTracker Alert ID:  1036557
SecurityTracker URL:  http://securitytracker.com/id/1036557
CVE Reference:   CVE-2016-0915   (Links to External Site)
Date:  Aug 9 2016
Impact:   Denial of service via network, Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Prime Self-Service 3.0, 3.1
Description:   A vulnerability was reported in RSA Authentication Manager Prime Self-Service Portal. A remote authenticated user can modify authentication data on the target system.

A remote authenticated user can submit a PIN change request with the token serial number of a target user to trigger an insecure direct object reference flaw and modify the PIN of the target user to an arbitrary value. This may also prevent the target user from accessing the system.

Frank Gifford of Praetorian reported this vulnerability.

Impact:   A remote authenticated user can modify the PIN number of a target user.

A remote authenticated user can prevent the target user from accessing the system.

Solution:   The vendor has issued a fix (3.1 1915.42871; Advisory ESA-2016-070).
Vendor URL:  www.emc.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC