AOH :: HP Unsorted R :: B1A-1207.HTM

RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )

RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )

Product: RSA Key Manager
Vendor: EMC/RSA
Vulnerable Component: Key Manager Client
Vulnerable Component Version: 1.5.x
Vulnerability Type: SQL injection
Vendor Contact Date: 4/20/2010
Status: Vendor does not want to fix the vulnerability.

Vulnerability Details:
RSA Key Manager Client software uses an SQLite database to cache its encryption keys.=A0The software fails to properly validate the metadata embedded inside of the RSA Key Manager=A0encrypted data when it perform a key lookup when the encrypted data is being decrypted.An attacker can inject SQL commands into the metadata section of the RSA Key Manager=A0encrypted data=2C which will be executed by the Key Manager Client software.=A0For example=2C an attacker can inject SQL statements to modify existing encryption keys=2C=A0remove existing encryption keys=2C add new encryption keys=2C etc.

The Key Manager client uses two types of cache: memory cache and file cache.=A0As long as both or either of the caches are enabled the problem can be triggered easily.=A0
RSA Key Manager Client 1.5.x uses the following format when it encrypts data:
Field 1 = KeyIdStringField 2 = NULL TerminatorField 3 = Encryption IVField 4 = Encrypted Data
Encryptionn Key Cache tables:
1. "ClassTable" [contains encryption key classes configured on the server]
classID =A0 =A0 VARCHAR(255) PRIMARY KEYkeyID =A0 =A0 =A0 VARCHAR(255) [current key id for this key class]refreshTime INT UNSIGNEDupdateTime =A0INT UNSIGNED
2. "ConfigTable" [includes kekhash - KEK=2C Key Encryption Key=2C hash]
3. "KeyTable" [holds the cached encryption keys]
keyID =A0 =A0 =A0 VARCHAR(255) PRIMARY KEYclassID =A0 =A0 VARCHAR(255)keyData =A0 =A0 BLOBalgorithm =A0 VARCHAR(255) [usually "AES/CBC"]refreshTime INT UNSIGNEDupdateTime =A0INT UNSIGNED
Sample Injections:
Injecting the following sql code results in a new encryption key in the Key Manager (client).
"=3B INSERT INTO KeyTable VALUES('1111'=2C'MyClass'=2C'MyKeyData'=2C'ABC'=2C1000=2C2000)=3B--
Injecting something like the sql code below can be used to replace=A0the encryption keys used by Key Manager.
"=3B UPDATE KeyTable SET keyData ='NewKeyData' WHERE classID='MyClass'=3B--

Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to