Title

RSA SecurID Software Token Converter Buffer Overflow Vulnerability (Cat II impact)

Discussion

RSA has addressed a buffer overflow vulnerability in the RSA SecurID Software Token Convertor. RSA SecurID Software Token Converter is a command line utility that converts a software token file (SDTID file) from XML format to a Compressed Token Format. To exploit this vulnerability, an attacker would entice a user to open a malicious file sent via email or hosted on a website. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code, resulting in a denial of service condition. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

Check Content

See IAVM notice and vendor bulletin for additional information. Vulnerable Applications/Systems: RSA SecurID Software Token Converter prior to 2.6.1 Check the application’s version number by using the Help, About menu. Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-31831

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.