RSA developers and admins have been given two critical-level authentication bugs to patch.
For the sysadmin, the issue struck RSA’s software providing Web-based authentication for Apache. CVE-2017-14377 is an authentication bypass that existed because of an “input validation flaw in RSA Authentication Agent for Web for Apache Web Server”.
If the authentication agent is configured to use UDP there’s no problem, but if it’s using TCP, a remote and unauthenticated attacker can send a crafted packet that triggers a validation error, gaining access to resources on the target.
学习管理系统LMS 学员操作演示
公司应履行的信息系统安全管理职责包括:建立有效的信息系统安全保障体系并定期或根据工作需要及时进行检查、评估、审计、改进、监控等工作。
RSA has released a patch here.
The other critical-rated bug is in the RSA Authentication Agent SDK for C, meaning it would be inherited by other systems developed in the SDK.

Versions 8.5 and 8.7 of the SDK had an error handling flaw, CVE-2017-14378, affecting TCP asynchronous mode implementations, in which “return codes from the API/SDK are not handled properly by the application”.
If an attacker triggered the error handling flaw, they could bypass authentication restrictions on the target system.
The fix for the C version of the SDK is here, and the bug isn’t present in the Java version of the SDK. ®
公司应该加强互联网门户网站系统安全管理工作,建立严格信息发布审批制度,严格控制网站内容发布权限,对网站系统进行安全评估,确保网站系统安全稳定运行。

猜您喜欢

周鸿祎:提高网民网络安全意识是个系统工程
网络安全知识宣传活动防范来自竞争者的高级持续性威胁
网络安全法普法宣传 004《网络安全法》的突出亮点
泰国曼谷举行“新娘快跑”大赛 姑娘为40万奖金抱婚纱狂奔
ARQUIVOSEXUAL THEWORDFORLIFE
信息安全素养快速小贴士