Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKyle QuestPACKETSTORM:90284
HistoryJun 04, 2010 - 12:00 a.m.

RSA Key Manager 1.5.x SQL Injection

2010-06-0400:00:00
Kyle Quest
packetstormsecurity.com
15

0.003 Low

EPSS

Percentile

68.2%

JSON
`CVE: CVE-2010-1904  
  
Product: RSA Key Manager  
  
Vendor: EMC/RSA  
  
Vulnerable Component: Key Manager Client  
  
Vulnerable Component Version: 1.5.x  
  
Vulnerability Type: SQL injection  
  
Vendor Contact Date: 4/20/2010  
  
Status: Vendor does not want to fix the vulnerability.  
  
  
  
Vulnerability Details:  
  
RSA Key Manager Client software uses an SQLite database to cache its  
encryption keys.  
The software fails to properly validate the metadata embedded inside of the  
RSA Key Manager  
encrypted data when it perform a key lookup when the encrypted data is being  
decrypted.  
An attacker can inject SQL commands into the metadata section of the RSA Key  
Manager  
encrypted data, which will be executed by the Key Manager Client software.  
For example, an attacker can inject SQL statements to modify existing  
encryption keys,  
remove existing encryption keys, add new encryption keys, etc.  
  
  
The Key Manager client uses two types of cache: memory cache and file  
cache.  
As long as both or either of the caches are enabled the problem can be  
triggered easily.  
  
RSA Key Manager Client 1.5.x uses the following format when it encrypts  
data:  
  
Field 1 = KeyIdString  
Field 2 = NULL Terminator  
Field 3 = Encryption IV  
Field 4 = Encrypted Data  
  
Encryptionn Key Cache tables:  
  
1. "ClassTable" [contains encryption key classes configured on the server]  
  
classID VARCHAR(255) PRIMARY KEY  
keyID VARCHAR(255) [current key id for this key class]  
refreshTime INT UNSIGNED  
updateTime INT UNSIGNED  
  
2. "ConfigTable" [includes kekhash - KEK, Key Encryption Key, hash]  
  
name VARCHAR(255) PRIMARY KEY  
value VARCHAR(255)  
  
3. "KeyTable" [holds the cached encryption keys]  
  
keyID VARCHAR(255) PRIMARY KEY  
classID VARCHAR(255)  
keyData BLOB  
algorithm VARCHAR(255) [usually "AES/CBC"]  
refreshTime INT UNSIGNED  
updateTime INT UNSIGNED  
  
Sample Injections:  
  
Injecting the following sql code results in a new encryption key in the Key  
Manager (client).  
  
"; INSERT INTO KeyTable  
VALUES('1111','MyClass','MyKeyData','ABC',1000,2000);--  
  
Injecting something like the sql code below can be used to replace  
the encryption keys used by Key Manager.  
  
"; UPDATE KeyTable SET keyData ='NewKeyData' WHERE classID='MyClass';--  
`

Related

prion 1
seebug 1
securityvulns 2
cve 1
cvelist 1
nvd 1
prion
prion
Sql injection
2010-06-07 17:12:00
seebug
seebug
RSA Key Manager客户端Metadata数据SQL注入漏洞
2010-06-07 00:00:00
securityvulns
securityvulns
RSA Key Manager SQL injection
2011-01-24 00:00:00
ESA-2011-001: RSA, The Security Division of EMC, addresses RKM 1.5 C Client SQL Injection Vulnerability
2011-01-24 00:00:00
cve
cve
CVE-2010-1904
2010-06-07 17:12:48
cvelist
cvelist
CVE-2010-1904
2010-06-07 14:00:00
nvd
nvd
CVE-2010-1904
2010-06-07 17:12:48

0.003 Low

EPSS

Percentile

68.2%

JSON
Related for PACKETSTORM:90284
prion1seebug1securityvulns2cve1cvelist1nvd1