RSA SecurID admin console can issue emergency access to decent social engineers

Put the management interface behind the firewall, pronto

Stop us if you've heard this one: an emergency access feature offered by RSA for SecurID token customers isn't completely secure.

That's the opinion of pentest outfit Netspi, whose Alexander Leary worked out how to abuse the SecurID Emergency Access Tokencodes (EAT).

The use-once codes are intended to provide a temporary access mechanism for someone whose SecurID token fails or is lost: it's a “backup code that is randomly generated on the RSA server that works for a set period, typically a week or so”, Leary writes.

The problem is this: so that sysadmins aren't distracted by user requests for temporary IDs (“oh, you know, I left it in my other coat”), the SecurID console has a self-service option so users can get their own EATs.

If the user is relying solely on a SecurID token – and if the console is integrated with LDAP – the attacker only needs sufficient social engineering skills (“After compromising a user's account who had access to the CDE, I was able to log into the RSA console using their Active Directory username and password) to get their login identity; the console then helps you navigate to the relevant support page to get your temporary token.

Users might have set PINs, but the console's helpful there as well: Netspi reckons the number of false attempts in the “reset PIN” function isn't limited, so it's brute-forceable. Lovely.

So far, however, compromising the system rests on compromising a legitimate user. Where it gets more interesting, Leary writes, is if you have a username but not a password – because the console's password-reset is based on the provably secure (not really) technique of security questions: there are three available per user.

Any moderately accomplished black-or-white-hat is probably schooled in Googling peoples' online profile to get a shot at guessing stuff like mother's maiden name, childhood pet cat or dog, and the like, so Netspi reckons this isn't sufficiently secure.

Until it's fixed (The Register has asked RSA for comment, but hasn't heard back), Netspi reckons the best idea is to avoid exposing the console to the Internet – because systems visible to the outside world are already indexed in Shodan, and can be Googled up with the terms "Self-Service Console – Home". ®

Keep Reading

Open Source Vulnerabilities database: Nice idea but too many Google-shaped hoops to jump through at present

Hands On Google Cloud Platform account required, API key comes with Ts&Cs

How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well

'Try telling leaders of libpng, libjpeg-turbo, openssl, ffmpeg etc they can't make "unilateral" changes to their own projects'

After first trying to use federal COVID-19 relief aid, State of Iowa comes up with funds to pay for Workday project

And the cost of hitching their HR and finance system to the cloud? $52.5m over half a decade

Google offers first part of its in-house M:N thread code as open source to Linux kernel

If this fine-grained thread control tech can run The Chocolate Factory, imagine it unleashed in Android

Ever wondered why the big beasts in software all suddenly slapped an 'I heart open-source' badge on?

Red Hat's State of Enterprise Open Source might have an answer

Google forges Open Usage Commons to manage open-source project trademarks, lobs hot-potato Istio at it

Marks for Angular and Gerrit also handled by org designed to provide 'guidance' to industry

Xen and the art of hypervisor introspection: Bitdefender donates meditative tech to open-source virty outfit

And its lightweight virtualized RAM and CPU project, Napoca, too

AWS is creating a 'new open source design system' with React

No documentation yet, but big ambitions for UI components tailored for AWS services

Biting the hand that feeds IT © 1998–2021