-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0030 Title: RSA SecurID Software Token DLL Loading Arbitrary Code Execution Version history: 15.12.2011 Initial publication Summary ======= RSA SecurID Software Token is prone to a vulnerability that lets attackers execute arbitrary code. This vulnerability may be exploited to load arbitrary libraries by tricking a user into opening a Software Token file located on a compromised or malicious share [1]. Remote Yes Credibility Vendor Confirmed Ease Exploit Available CVSS[3] Base Score 5.6 CVSS[3] v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Technical description ===================== More description may be found in RSA SecurID Software Token 4.1 for Microsoft Windows Release Notes [2]. Vulnerable systems ================== RSA Security RSA SecurID Software Token 4.1 cpe:/a:rsa:rsa_securid_software_token:4.1 SYMC Platforms: Windows 7 Enterprise SP1 32-bit and 64-bit Windows 7 Professional SP1 32-bit and 64-bit Windows Vista Business SP2 32-bit and 64-bit Windows Vista Enterprise SP2 32-bit and 64-bit Windows XP Professional SP3 What can you do? ================ Update vulnerable software [2]: RSA Security RSA SecurID Software Token 4.1.1 cpe:/a:rsa:rsa_securid_software_token:4.1::1 SYMC What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.securityhome.eu/vulnerabilities/vulnerability.php?vid=15198330234ee962f85a8042.70063036 [2] RSA SecurID Software Token 4.1 for Microsoft Windows Release Notes http://www.rsa.com/node.aspx?id=2525 [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJO6ggZOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NZ3w//UHCvNyjU 0d4Ta/y02myLC2Mq5D1V0ME9MX7RvDPHSp40WH+FO/ay+NsX7j5UAHR81oFjATKC XxR1ahA0udx3FrzbeOiaI6mqFeo5QwvPmVP1E6Wd2zhbzfKb8dXIB3oB7MJCmrDm HpqYZEMLbCROS+m0RVBUiMXmKo3wt0P4r4PrHbQtG9SQZzUxqqHRddfy57VPI6Xd nSiQUq/Bi3L3BtC3/gHMteXSE5l9WA9sSSakn88QcW351hfTJnRBUe01ACpScezO iQ/qRbzUq7LVpZdapyD4oV/MhbLyqS4rafXPjOMiWbCvxBxfRsu7/XAUqVmQeBIw asew0HpZCd59m363826ZomlZ6rIF2KNNviutpMGRlQ8vnRyw0F/YBLzObEmpl1KK CzC4XMGOlT11GMpUoBpvJIjXG33tRXLmeykGtEiswacwett9EtIXmex/etZwN74p PYsFtzo2t2EvX2C80YlFAA3Yops/064S5KX4kr7HyMhExtYqFak7OS37OdIfWzPO +T/VNdViWPTDJY8x8mxJSuda8cFWFZ8Lwtx8AuZSFODZZ80HtvID2kCOtnEq5H9d CO6nbFDKIuk+pC4INHB9qHmkbIA6PKvNbBj3ZUd+ZD2qQO4BYdQ7kfi/RTulFyRj rcw6JQJcH5VqFo3UyjvhE83ddgCi46ZSAuk= =X5yH -----END PGP SIGNATURE-----